Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Odd thresholding error

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] Odd thresholding error
Date: Tue, 13 Jun 2006 12:27:48 +1200 
Hi,  I am generating some rules to look for traffic to known botnet
C&Cs.  These rules are generated by a perl script and to get unique sids
which do not change as C&Cs appear and disappear I decided to use the
decimal form of the IP address as a sid.

All appears to work but I get this error when the rules are loaded into
sort:

 FATAL ERROR: Rule-Threshold-Parse: could not create a threshold object
-- only one per sid, sid = 2147483647

There is no rule with sid = 2147483647 :(

Here is a typical rule:

alert tcp $HOME_NET any -> xxx.yyy177.226 6667 (msg: Botnet C&C
aaaa.bbbb.us; threshold: type limit,track by_src,count 1,seconds 216
00; tag: session,20,packets; classtype: botnet; sid: 2534564450; rev: 1;)

I.e. sids are 32 bit numbers.

Any ideas as to where to look for the problem?

Any bright ideas on other schemes to generate sids?

Russell


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Odd thresholding error, Russell Fulton <=
Previous by Date:  [Snort-sigs] Rules about keylogging, Chich Thierry
Next by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:  [Snort-sigs] Rules about keylogging, Chich Thierry
Next by Thread:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Indexes:  [Date] [Thread] [Top] [All Lists]