[Snort-users] Bug in

Starner, Mark mark.starner at ...5850...
Wed Aug 27 14:24:27 EDT 2014

A rule (ET Rule 2012647) has the following threshold in the rule:
threshold: type limit, count 1, seconds 300, track by_src


Prior to upgrading to, this worked as expected, one alert every 5

Since upgrading to on 8/15, now we are seeing the behavior where the
rule will fire, wait 5 minutes, then fire again, and again and again.


But, it doesn't start out this way. After a restart of Snort (STOP and
START) it is fine, it alerts once every 5 minutes, for a while, and then at
some point during the day, it will start reporting all alerts, until snort
is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill
-HUP of the snort process does NOT reset  to the proper behavior, only a
STOP/START temporarily fixes it).


Anyone else see this or have any suggestions?


Is this a Bug in



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355 


MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers. 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/91b38b39/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/91b38b39/attachment.bin>

More information about the Snort-users mailing list