[Snort-users] [sonrt-user]About rule options

Mayur Patil ram.nath241089 at ...11827...
Thu Sep 26 06:52:06 EDT 2013


Hello Joel Sir,

    I have looked for your solution but when I am generating rules by
parsing through rule generator I am getting error.

    I want to use count, seconds to detect DoS Attack

    As the following example parses effectively

   alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
content:"TAGMYPACKETS"; classtype:attempted-dos;
flow:to_server,established; sid:100001;
    rev:1; )

    but if I add count,seconds it does not work. I also tried with *tag*option

   alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
content:"TAGMYPACKETS"; classtype:attempted-dos;
flow:to_server,established; sid:100001;
    rev:1; count:50; seconds:1)

Please help me to solve this problem !!

Seeking for guidance

Thanks !!


P.S.: I have also search through Snort Manual but did not get hint.
*
--
*
*Cheers,
*
*Mayur*.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130926/48146e91/attachment.html>


More information about the Snort-users mailing list