[Snort-users] global threshold does not work on certain file-identity rules

Clement Chen plutochen2010 at ...11827...
Wed Feb 20 16:30:50 EST 2013


Hi all,

It seems to me that global threshold does not work on certain FILE-IDENTITY
rules. For example, I have global threshold as following:

+-----------------------[event-filter-global]----------------------------------
| gen-id=global sig-id=global type=Both      tracking=src count=1
seconds=180


However, the alert "FILE-IDENTIFY download of executable content" (gid 1,
sid 11192) still shows up many times in a minute. I also found that other
FILE-IDENTITY rules have such issue.


The following is the rule:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY download of executable content";
flow:to_client,established; content:"application/octet-stream";
fast_pattern; nocase; http_header;
pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH";
file_data; content:"MZ"; within:2; flowbits:set,file.exe; metadata:service
http, service imap, service pop3; reference:url,
www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx;
classtype:policy-violation; sid:11192; rev:13;)


Anyone noticing the same problem? I am using Snort 2.9.

Thanks.

Clement
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130220/9e50b689/attachment.html>


More information about the Snort-users mailing list