Snort mailing list archives
Re: What different between using "threshold" and "track" for rule and flow-portscan ??
From: Paul Schmehl <pauls () utdallas edu>
Date: Sat, 11 Aug 2007 10:34:11 -0500
--On August 11, 2007 8:49:17 AM +0000 Lerdpong Lerdpaisarnwong <lerdpong () hotmail com> wrote:
Hey everyone, I'm newbies. I used snort for detecting scanning worms which its characteristics is send packets from source to many destinations to find victims so I used flow-portscan preprocessor to detect them but then I read manual I found that I can write rule that using "threshold" and "track" . For example, alert icmp any any -> any any (msg: "Alert for scan worm" ; threshold: type threshold, track by_src, count 100 , seconds 1;) Does anyone know the different between them ??
Lots of people do. Threshold is the keyword. track is one of its attributes.When you use the word "threshold" in a rule, snort will be expecting certain attributes and values to follow. If they are not there, or the syntax is incorrect, snort will exit with a fatal error.
track tells snort how it should track the alerts. In the case of an infected host probing many destination hosts, you would want to use track by_src, because you want to track what the source host is doing, not the destination hosts he's attacking.
Look at the Snort Manual under Event Thresholding for the proper syntax. <http://www.snort.org/docs/snort_htmanuals/htmanual_2615/node296.html> Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
_bin
Description:
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What different between using "threshold" and "track" for rule and flow-portscan ?? Lerdpong Lerdpaisarnwong (Aug 11)
- Re: What different between using "threshold" and "track" for rule and flow-portscan ?? Paul Schmehl (Aug 11)