RE: test a threshold rule, please?

[Rich Adamson <radamson () routers com>]

Josh,

Tried that and the problem consistently occurs with the "first"
threshold parameter that has an integer value.

Can you try this rule either on linux or win32 for me please?
Pretty please with honey on it?

Rich

------------------------
> Maybe the order of the seconds, count options.  Try changing it to count
> 1, seconds 60;
>
> -----Original Message-----
>
> Could someone test the following rule in either linux or win32, please?
>
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
> threshold: type 
> threshold, track by_src, seconds 60, count 1; classtype:misc-activity;
> sid: 1000002; 
> rev:1;)
>
> I'm trying to determine whether the above might indicate be a bug in 
> linux, win32, or syntax error on my part. If I try the above rule in
> win32 
> (v2.2.0rc1 build 28), snort will not start due to an integer error
> reading 
> the rule. Inserting  content:" "; offset:0; in the above allows snort to
> start.
>
> Any help/suggestions would be greatly appreciated. Off-list comments are
> fine if you'd like.
>
> Rich




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users