I would suggest removing your threshold statement and re-running your
test.
Cheers,
-matt
Christian Swartzbaugh wrote:
For several search-methods, including the defaults, snort compiled
with inline does not drop in certain cases and in other cases does not
alert. It is not consistent across different search methods either.
snort 2.6.0.2 (with --enable-inline)
config detection: search-method ac-std
(and others)
drop any any -> any any (msg:"does not drop"; content:"12345";
threshold: type both, track by_src, limit 3, seconds 30; )
Different search methods seem to treat dropping all differently, can
anyone describe what the idea is here and why the different search
methods are causing problems for inline? or should I visit
snort-inline mailing lists.
feofil
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
