[Snort-users] Bug in 2.9.6.2???

Starner, Mark mark.starner at ...5850...
Wed Aug 27 14:24:27 EDT 2014


A rule (ET Rule 2012647) has the following threshold in the rule:
threshold: type limit, count 1, seconds 300, track by_src

 

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5
minutes.

Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the
rule will fire, wait 5 minutes, then fire again, and again and again.

 

But, it doesn't start out this way. After a restart of Snort (STOP and
START) it is fine, it alerts once every 5 minutes, for a while, and then at
some point during the day, it will start reporting all alerts, until snort
is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill
-HUP of the snort process does NOT reset  to the proper behavior, only a
STOP/START temporarily fixes it).

 

Anyone else see this or have any suggestions?

 

Is this a Bug in 2.9.6.2???

 


  



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT


Unisys  |  443-921-0355 

 
<file:///C:\Users\starneml\AppData\Roaming\Microsoft\Signatures\Required_Ima
ges\Unisys_Logo.gif> 



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers. 

	

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/91b38b39/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/91b38b39/attachment.bin>


More information about the Snort-users mailing list