[Snort-users] Snort rule does not alarm

Aleksandrs Polinkins a.polinkins at ...11827...
Mon Jan 30 06:24:03 EST 2017

Dear all,

I have the following rule 

alert tcp any any <> any any (Msg:"Flooding attack!"; detection_filter:track by_dst, count 50, seconds 10;sid:1000036)

The rule works perfectly if no other rules are used, but if there are other rules it has no effect even if packet count is much more that 50 in 10 seconds. The problem should not be the choice between generic rule and not, as no other alarms are triggered when this rule alarm is expected. Is this a Snort's bug or I don't understand something?

Thanks in advance!

More information about the Snort-users mailing list