[Snort-users] threshold.conf not working?

Miguel Alvarez miguellvrz9 at ...11827...
Mon Sep 10 13:23:56 EDT 2012


On Mon, Sep 10, 2012 at 7:09 PM, James Lay <jlay at ...13475...> wrote:
> On 2012-09-10 11:01, Miguel Alvarez wrote:
>> I noticed today that I had received over 25000 '[125:6:1] ftp_pp: FTP
>> response length overflow' alerts but I have an existing entry in my
>> threshold.conf that I thought would stop that from happening.  This
>> is
>> what I have.  Is there anything wrong with this?
>>
>> event_filter gen_id 6, sig_id 125, type limit, track by_src, count 1,
>> seconds 300
>>
>> But they were coming in multiple times per second:
>>
>> 09/10-09:45:29.334173  [**] [125:6:1] ftp_pp: FTP response length
>> overflow [**] [Classification: Attempted User Privilege Gain]
>> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
>
> Reverse your gen and sig and you're good:
>
>
> event_filter gen_id 125, sig_id 6, type limit, track by_src, count 1,
> seconds 300

Oh yes, stupid me!  Thanks guys!




More information about the Snort-users mailing list