Snort mailing list archives
AW: Snort 2.0.4 and threshold
From: "Povel, Michael" <Michael.Povel () umusic com>
Date: Wed, 12 Nov 2003 13:54:51 +0100
Thanks, you are right, I was including the same rulefile twice, sorry. But for the config parameter, what were I doing wrong ? cu Michael -----Ursprungliche Nachricht----- Von: Marc Norton [mailto:marc.norton () sourcefire com] Gesendet: Dienstag, 11. November 2003 21:21 An: 'Povel, Michael'; snort-users () lists sourceforge net Betreff: RE: [Snort-users] Snort 2.0.4 and threshold What do the rule(s) and threshold commands look like that are in the .rules file. This message is complaining that you have 2 thesholds applied to the specific rule. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Povel, Michael Sent: Tuesday, November 11, 2003 10:35 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort 2.0.4 and threshold Hello all, I am just upgrading to snort 2.0.4 and I would like to use the new Nachi Rule from Paul L Schmehl. But whenever I try to use and threshold stuff, my snort complains: THRESHOLD: gen_id=1, sig_id=10000008, type=2, tracking=0, count=1000, seconds=60 ERROR: Rule-Threshold-Parse: could not create a threshold object -- only one per sid, sid = 10000008 Fatal Error, Quitting.. So I thought that I might need to initalise the threshold system, and found that a: config threshold: memcap 30000 in the snort.conf breaks my snort even before the Rules are read ;-( So I looked at the sources and found that ProcessThresholdOptions is not even used in parser.c or any other source file. I checked in the CVS, and on the lastest version at least a call to this function is in parser.c. So I tried to use this in parser.c and at least got snort to accecpt the config statement, but still without any success for the rule. Did anyone get the Rule: alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count 1000, seconds 60; classtype:trojan-activity; sid: 10000008; rev: 4;) to work with a vanilla 2.0.4 snort ? Many thanks for any help. Michael
Current thread:
- AW: Snort 2.0.4 and threshold Povel, Michael (Nov 12)
- Re: AW: Snort 2.0.4 and threshold Chris Green (Nov 12)
- Re: AW: Snort 2.0.4 and threshold Chris Green (Nov 13)
- Standalone threshold Jason Linden (Nov 13)
- Re: AW: Snort 2.0.4 and threshold Chris Green (Nov 13)
- Re: AW: Snort 2.0.4 and threshold Chris Green (Nov 12)