[Snort-users] Bug in 2.9.6.2???

Joel Esler (jesler) jesler at ...589...
Wed Aug 27 14:55:35 EDT 2014


Cc’ing Snort-devel


On Aug 27, 2014, at 2:24 PM, Starner, Mark <mark.starner at ...5850...<mailto:mark.starner at ...5850...>> wrote:

A rule (ET Rule 2012647) has the following threshold in the rule:  threshold: type limit, count 1, seconds 300, track by_src

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5 minutes.
Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the rule will fire, wait 5 minutes, then fire again, and again and again.

But, it doesn’t start out this way. After a restart of Snort (STOP and START) it is fine, it alerts once every 5 minutes, for a while, and then at some point during the day, it will start reporting all alerts, until snort is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill –HUP of the snort process does NOT reset  to the proper behavior, only a STOP/START temporarily fixes it).

Anyone else see this or have any suggestions?

Is this a Bug in 2.9.6.2???



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


[X]


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/5176b324/attachment.html>


More information about the Snort-users mailing list