Russell Fulton wrote:
Hi Folk,
I clearly don't understand this properly, sigh...
I am getting lots (tens of thousands) of hits on the bleeding VNC rule:
:alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg: "BLEEDING-EDGE
SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold,
track by_src, count 50, seconds 900; classtype:attempted-recon;
sid:2002911; rev:1;)
Astute people will notice that I have raised both the count and the
seconds parameters to threshold in an attempt to cut down the number of
alerts.
My understanding is that I should get just one alert every 900 seconds
per source but instead I get:
No.. You'll get one alert for every 50 hosts scanned by the source in
a window of 900 seconds. (basically, whichever is greater. 47 hosts
scanned will emit one alert after 900 seconds. 100 hosts in 900 seconds
will emit two.)
If you only want one alert every 900 seconds, you might want to use a
"both" type threshold instead of a "threshold" type. rtfm, section 3.8.5.2 of
the 2.6.0 manual has a nice example.
--
Erik Fichtner; Unix Ronin
"Tyranny, whether it arises under threat of foreign physical attack
or under constant domestic authoritative scrutiny, is still tyranny.
Liberty requires security without intrusion--security plus privacy."
- Bruce Schneier
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
