[Snort-users] detection_filter not working

fatema bannatwala fatema.bannatwala at ...11827...
Tue Jan 17 14:21:25 EST 2017


Hi Anna,

Just to confirm, you said you were seeing more than 20 attempts per second
for a given IP, and
you got alert on that while using threshold?
(I think it's bit of high threshold, so just wanted to confirm.)

Also, just for fun, could you try to swap the positions where you define
classtype and detection_filter to check to see if that works?
i.e something like: (msg:"syn flood attempt"; flags:S; detection_filter:
track by_src, count 20, seconds
1; classtype:attempted-dos;  sid: 1000024;)


Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170117/3d970667/attachment.html>


More information about the Snort-users mailing list