Re: ru.le to detect lots of syn pkts?

[Paul Schmehl <pauls () utdallas edu>]

--On Friday, June 04, 2004 05:30:45 PM -0600 Rich Adamson 
<radamson () routers com> wrote:
> Here's a copy/paste of the exact rule:
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
> threshold: track by_src,  seconds 60, count 50, type both ;
> classtype:misc-activity; sid: 1000002; rev:1;)
>
> Obviously we've moved the parameters around, but it still barfs on
> "seconds 60" with the above order. I'm thinking this is a Win32 bug since
> upgrading to the latest build did not resolve the issue. I've played with
> spaces before/after comas, etc; no impact.
>
> Can you spot anything in the rule that I might have overlooked or just
> kept reading right through it?
No, the rule looks fine.  I think you may be correct about the Win32 bug. 
This rule works fine on unix.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users