Snort mailing list archives
Re: Flowbits and threshold
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Wed, 14 Sep 2011 18:14:25 +0200
Hi, Thanks for clearing that up. So if I need a rule to fire only when a previous rule (based on threshold) generates an alert, I will need to keep the thresholds of both the alerts in sync. Right? Or is there any other (and simpler) way? Regards, Dheeraj On Wed, Sep 14, 2011 at 1:37 PM, Jason Wallace <jason.r.wallace () gmail com>wrote:
I believe threshold/suppression only affects the alerting mechanism. For example, if you have a rule that sets a threshold of one alert in 60 seconds and that rule is set to drop, I believe any packet that matches the rule will be dropped, regardless of the threshold. This is probably the same for setting a flowbit. On Wed, Sep 14, 2011 at 1:03 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:Hi, I was wondering how are flowbits interpreted in a rule that has threshold keywords. Suppose I have a rule that checks if my proxy has just denied a requesttouser- alert tcp any 8080 -> any any (msg:"Proxy Denies"; content:"ERR_CACHE_ACCESS_DENIED"; http_header; threshold:type threshold,track by_dst, count 60, seconds 60; flowbits:set,proxy.deny;flowbits: noalert; sid:1000010; rev:1;) Since I want to log the packet that shows what URL the user was trying to access, I write the following rule to log one packet only for a denied request exceeding threshold- alert tcp any 8080 -> any any (msg:"Proxy Access Denied";flowbits:isset,proxy.deny; content:"While trying to retrieve the URL:",nocase; flowbits:unset,proxy.deny; threshold: type threshold,track by_dst, count 60, seconds 60;sid:1000011; rev:1;) Is the flowbit set when the first packet with ERR_CACHE_ACCESS_DENIED is seen or when the threshold is passed? Also if I do not put the threshold limit in second rule and allow firstruleto also generate alerts, I get about 60 alerts from second rule for each alert of first rule. Since I unset the flowbit after the second rulefires,shouldn't the second rule quieten down till the next time threshold is breached? I can't use tag because the background script (that processes thesealertsexpects only one packet per alert and also since docs say that tagdoesn'twork great with database output plugin. Regards, Dheeraj------------------------------------------------------------------------------BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevContoday!http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- To iterate is human.To recurse, divine! -- To iterate is human.To recurse, divine!
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Flowbits and threshold Dheeraj Gupta (Sep 13)
- Re: Flowbits and threshold Jason Wallace (Sep 14)
- Message not available
- Re: Flowbits and threshold Dheeraj Gupta (Sep 14)
- Message not available
- Re: Flowbits and threshold Jason Wallace (Sep 14)