Snort mailing list archives
Snort 2.7.0 thresholding-local none
From: "Jeffrey Denton" <dentonj () gmail com>
Date: Mon, 16 Jul 2007 01:08:24 +0200
The threshold option in the signatures do work in snort-2.7.0. In /var/log/messages, ----[thresholding-local]---- displays "none". /etc/snort/snort_test.conf: var HOME_NET any var EXTERNAL_NET any dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble output alert_syslog: LOG_AUTH LOG_ALERT include /etc/snort/classification.config include /etc/snort/reference.config alert icmp any any -> any any (msg:"Test ping - dentonj payload - limit"; conten t:"dentonj"; threshold: type limit, track by_src, count 1, seconds 30; sid:10000 001; rev:1;) alert icmp any any -> any any (msg:"Test ping - DENTONJ payload - threshold"; co ntent:"DENTONJ"; threshold: type threshold, track by_src, count 5, seconds 30; s id:10000002; rev:1;) # snort -c snort_test.conf -i eth0 The following command triggers two alerts, one with a source of 192.168.1.2 and the second with a source of 192.168.1.1: $ ping -c 5 -p 64656e746f6e6a 192.168.1.1 The following command does not trigger any alerts: $ ping -c 2 -p 44454e544f4e4a 192.168.1.1 The following command triggers two alerts, one with a source of 192.168.1.2 and the second with a source of 192.168.1.1: $ ping -c 5 -p 44454e544f4e4a 192.168.1.1
From snort starting up:
+-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.7.0 thresholding-local none Jeffrey Denton (Jul 15)