Snort Rule Question

How do I make this rule:

# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)


So that it will generate alerts for the first two packets matching it's criteria, then ignore all the rest?
3 answers Last reply
More about snort rule question
  1. Figured out how to do it using threshold, thanks anyway.
  2. Quote:
    Hi,

    I actually dont know about this but, this is what I was searching for and here I got a way of putting this rule through threshold.

    Thanks!



    Yep, you just add "threshold: type limit, track by_src, count 2, seconds 300;" to the options section of your rule to only display an alert twice every 300 seconds.
  3. Good info, thanks for the follow up. Only saw Snorts years ago at a demo but they were pushing a 3D network topology graphing software and Snort was on the sidelines.
Ask a new question

Read More

Firewalls TCP/IP Networking