Snort mailing list archives
thresholding
From: Doug Nordwall <doug () pnl gov>
Date: Mon, 22 Sep 2003 12:59:32 -0700
I'm trying to suppress or threshold a particular rule with snort 2.0.2. I've read the README.thresholding over and am attempting the following
rule is sid:483 (the cyberkit..i'm trying to squelch welchia a bit) I put in a line in snort.conf for rules in local-limits.rules the file itself says: suppress gen_id 1, sig_id 483 I've tried: suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/xthreshold gen_id 1, sig_id 483, type threshold, track by_src, count 3, seconds 60 threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3, seconds 60
none of them seem to stem the flow at all (outputting in unified format, reading fast.alert from barnyard output)
I have not removed rule 483. Anyone know what I might be doing wrong? Doug Nordwall doug () pnl gov pgp fingerprint: 3CC7 B302 CB87 BCF3 F080 DF9D 43DF A123 D9D3 074E ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Robert Vance Jr (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re[2]: thresholding Jyri Hovila (Sep 23)
- Re: Re[2]: thresholding Doug Nordwall (Sep 23)
- Re: Re[2]: thresholding Nordwall, Douglas J (Sep 24)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)