[Snort-users] Need help about Snort - rate_filter

Jack Chuong jack.chuong at ...17034...
Tue Nov 25 02:40:17 EST 2014


Hi all,
I'm Snort newbie, I read manual and installed snort 2.9.7.0 with Centos 6.4 64 bit successfully, this is my test rule:

/etc/snort/rules/local.rules
alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;)

It works fine, this is Snort alert log when I ping from my windows client to Centos server

11/24-14:52:44.452832  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:45.453391  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:46.455391  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:47.457442  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111

Now I want to apply rate_filter for my test rule to drop icmp packets if they exceed limit (over 10 packets/s for example)

/etc/snort/rules/local.rules
alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;)
rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 10, new_action sdrop, timeout 30

But it's not work, icmp packets from my windows client are not dropped, my client can ping Centos Server regularly (ping -t). How can I make it work and check if it works correctly ?
Should I place rate_filter option in local.rules or in /etc/snort/snort.conf ? After searching I found a topic says that rate_filter should be placed at the end of Step #5: Configure preprocessors , before Step #6: Configure output plugins.

Thanks in advanced.
Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Thank you!




More information about the Snort-users mailing list