[Snort-users] Thresholding issues

James Lay jlay at ...13475...
Thu Mar 26 19:00:57 EDT 2015


On Thu, 2015-03-26 at 17:08 -0400, French, Jared wrote:
> I'm fairly new to snort and I've been trying to get thresholding
> working, but haven't had any luck.  Not with individual rules or
> global rules.   I added the following line to to threshold.conf and
> ran a rule update after: 
> 
> event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1,
> seconds 360 
> 
> However, when I open up snorby and watch the logs I'll get the same
> alert popping up many times in row either with the same timestamp or
> well within the given 360 seconds.  My understanding is that this line
> should cause any and all rules to fire only once every 360 seconds.
> Is that incorrect or is something possibly broken? 
> 
> The same happens when I try to apply thresholds for individual rules
> such as:   
> 
> event_filter gen_id 1, sig_id 2012252, type limit, track by_src, count
> 1, seconds 360 
> 
> which is the emerging theat SHELLCODE Common 0a0a0a0a Heap Spray
> String alert. 
> 
> Just looking for some help / clarifcation.  Thanks!
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Verify that:

include /path/threshold.conf is in your snort.conf.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150326/eb4a365c/attachment.html>


More information about the Snort-users mailing list