Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [sonrt-user]About rule options

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Thu, 26 Sep 2013 19:55:01 +0530
Hello Russ Sir,

     I am able to implement text rules with above said options but my
problem is *"Parsing Rules from the Rule generator "* because I

     want to generate the shared object rules.
http://labs.snort.org/cgi-bin/sorules.cgi

     I want to use count, seconds. Whenever I use detection_filter in a
rule, I am getting error while parsing rules from rule generator

     "no valid rules for generation".

      *So is there any option present which I can parse from rule generator
with attributes count,seconds to generate shared

       object rules??*

      Seeking for guidance,

      Thanks !!
*--
**Cheers,
**Mayur*.

On Thu, Sep 26, 2013 at 6:40 PM, Russ Combs <rcombs () sourcefire com> wrote:





On Thu, Sep 26, 2013 at 6:52 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:


Hello Joel Sir,

    I have looked for your solution but when I am generating rules by
parsing through rule generator I am getting error.

    I want to use count, seconds to detect DoS Attack

    As the following example parses effectively

   alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
content:"TAGMYPACKETS"; classtype:attempted-dos;
flow:to_server,established; sid:100001;
    rev:1; )

    but if I add count,seconds it does not work. I also tried with *tag*option

   alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
content:"TAGMYPACKETS"; classtype:attempted-dos;
flow:to_server,established; sid:100001;
    rev:1; count:50; seconds:1)



Those aren't valid rule options.  If you want to use them in a rule to
determine when the rule fires, use detection_filter.  If you want to use
them to change the rule action, use rate_filter.  And if you want to use
them to limit logging, use event_filter.  Only detection_filter can be used
in a rule.  rate_filter and event_filter are applied after the rule fires
and therefore are specified separately.



Please help me to solve this problem !!

Seeking for guidance

Thanks !!


P.S.: I have also search through Snort Manual but did not get hint.




------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: