Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: detection_filter not working

From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Tue, 17 Jan 2017 14:21:25 -0500
Hi Anna,

Just to confirm, you said you were seeing more than 20 attempts per second
for a given IP, and
you got alert on that while using threshold?
(I think it's bit of high threshold, so just wanted to confirm.)

Also, just for fun, could you try to swap the positions where you define
classtype and detection_filter to check to see if that works?
i.e something like: (msg:"syn flood attempt"; flags:S; detection_filter:
track by_src, count 20, seconds
1; classtype:attempted-dos;  sid: 1000024;)


Thanks,
Fatema.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: