[Snort-users] How to threshold ALL sigs
wkitty42 at ...14940...
Wed May 28 22:34:05 EDT 2014
On 5/28/2014 3:48 PM, Jefferson, Shawn wrote:
> Yes, but that doesn't work for a SRC<->DEST type suppression. You can only
> make Snort blind to ALL things from that IP. You need to use BPF to do a
> SRC<->DEST suppression (basically not sending that traffic to snort at all.)
no ya don't ;) you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...
eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users