Bug in 2.9.6.2???

["Starner, Mark" <mark.starner () unisys com>]

A rule (ET Rule 2012647) has the following threshold in the rule:
threshold: type limit, count 1, seconds 300, track by_src

 

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5
minutes.

Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the
rule will fire, wait 5 minutes, then fire again, and again and again.

 

But, it doesn't start out this way. After a restart of Snort (STOP and
START) it is fine, it alerts once every 5 minutes, for a while, and then at
some point during the day, it will start reporting all alerts, until snort
is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill
-HUP of the snort process does NOT reset  to the proper behavior, only a
STOP/START temporarily fixes it).

 

Anyone else see this or have any suggestions?

 

Is this a Bug in 2.9.6.2???

 


  



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT


Unisys  |  443-921-0355 

 
<file:///C:\Users\starneml\AppData\Roaming\Microsoft\Signatures\Required_Ima
ges\Unisys_Logo.gif> 



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!