[Snort-users] About detection fileter

Ryota Kurokawa r-kurokw at ist.osaka-u.ac.jp
Tue Nov 14 07:28:18 EST 2017


Hi

I am using Snort 2.9.

I have written the following rules.
- -
alert icmp 192.168.37.231 any -> 192.168.37.236 any
(msg: "ICMP traffic once a second"; detection_filter: track by_src, 
count 10,
seconds 1; classtype: attempted-dos; priority: 1; sid: 1000001;)
- -

In the above rule, it detects that it receives 10 packets a second. This 
rule succeeded.
I have one question.
For example, what happens if I receive a packet 15 times per second?
Is the remaining 5 ignored?
Or will it count in the next second?

Thanks.



More information about the Snort-users mailing list