Snort mailing list archives
Can you tag thresholded sessions?
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 25 Aug 2011 15:03:55 -0500
I wrote a rule a long, long time ago. Recently we got some hits, and we were curious to see what was going on. Here's the original rule: # Rule to catch non-authorized mail servers sending mail alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Unauthorized mail server - possible trojan"; flags:S; threshold: type both, track by_src, count 10, seconds 60; classtype:misc-activity; sid:1000002; rev:1;) And here's the modified rule: # Rule to catch non-authorized mail servers sending mail alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Unauthorized mail server - possible trojan"; flags:S; threshold: type both, track by_src, count 10, seconds 60; tag:session,15,packets; classtype:misc-activity; sid:1000002; rev:2;) As you can I added tagging to track sessions. But, we're not getting the tracking. I looked in the README.tag and README.thresholding docs but didn't see a mention in either of the other. Is it not possible to tag sessions when thresholding is used in the rule? Or is it because I'm looking for the SYN flag? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can you tag thresholded sessions? Paul Schmehl (Aug 25)