Sign in with
Sign up | Sign in
Your question

Snort Rule Question

Tags:
  • Firewalls
  • TCP/IP
  • Networking
Last response: in Networking
Share
November 20, 2009 3:12:52 AM

How do I make this rule:

# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)


So that it will generate alerts for the first two packets matching it's criteria, then ignore all the rest?

More about : snort rule question

November 20, 2009 4:18:57 AM

Figured out how to do it using threshold, thanks anyway.
m
0
l
November 23, 2009 5:20:01 PM

Quote:
Hi,

I actually dont know about this but, this is what I was searching for and here I got a way of putting this rule through threshold.

Thanks!



Yep, you just add "threshold: type limit, track by_src, count 2, seconds 300;" to the options section of your rule to only display an alert twice every 300 seconds.
m
0
l
November 23, 2009 5:22:02 PM

Good info, thanks for the follow up. Only saw Snorts years ago at a demo but they were pushing a 3D network topology graphing software and Snort was on the sidelines.
m
0
l
!