Snort mailing list archives
Re: [Q] thresholding
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Wed, 15 Oct 2008 13:11:03 -0500
Quoting Victor Klimov <vk77de () googlemail com>:
What could be changed in the following rule, so that thresholding would work? #Rule for alerting common TCP/UDP flood attack: alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 1, seconds 1600; classtype:attempted-dos; sid:100000160; rev:2;)
I assume you want to detect a flood, eh? one hit in 1600 seconds is not much of a flood. did you perhaps intend to detect 1600 hits in one minute? " .. would work .. " is a little vague. what exactly do you want it to do? jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Q] thresholding Victor Klimov (Oct 15)
- Re: [Q] thresholding Jack Pepper (Oct 15)