Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re[2]: thresholding

From: "Nordwall, Douglas J" <Nordwall () pnl gov>
Date: Tue, 23 Sep 2003 11:14:43 -0700
Ok, folks, after rewriting my rules file, I got it working. I believe that
there was some extra garbage in the file, or there was a split line. Anyhow,
successful supression and thresholding.

-- 



From: Doug Nordwall <doug () pnl gov>
Date: Tue, 23 Sep 2003 06:46:49 -0700
To: snort-users () lists sourceforge net
Subject: Re: Re[2]: [Snort-users] thresholding

regardless of this, none of them work. Please go back and check the
original email in this thread. I can't even get the most simple case of
suppressing a particular rule to work. This thread seems to have
mutated into "am i using the rule right" and missed the "can I use it
at all" part :) I tried multiple options, with src and dst. Most
importantly, though, suppress didn't work with no src _or_ dst. It's
not a problem of me limiting or thresholding. It's not a problem in
which way to go. It's a fundamental problem with it just flat out not
working.

Fortunately, Chris is working on it :) Thanks again.

On Tuesday, September 23, 2003, at 12:43 AM, Jyri Hovila wrote:


Hi!


I believe you need to add the thresholding arguments to the signature
definition itself.  Try something like:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia";
content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
type limit, track by_src, count 1, seconds 60 ; rev:3;)

This should limit you to one welchia alert per infected host per


In my opinion it's more useful to use track by_dst for now, until
Welchia traffic reduces to a sensible level. There are so many infected
hosts at this time that there's no point in trying to track by source.
I'm running Snort on 10 hosts and had to radically calm down the
Welchia
rule in order to prevent my central database from being clogged by
Welchia alerts. Here's the rule I use:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \
Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \
dsize:64; classtype:trojan-activity; sid:1000000; threshold: \
type limit, track by_dst, count 1, seconds 900;)

- j.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: