[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    [Snort-users] Threshold rule syntax?
From:       Rich Adamson <radamson () routers ! com>
Date:       2004-06-30 18:34:28
Message-ID: Chameleon.1088620414.adar0 () vegas
[Download RAW message or body]


I'm trying the following threshold rule in local.rules  on 2.2.0-RC1 (Win32):

alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type 
limit, track by_src, count 6, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;)

and receive:
ERROR: *** threshold: count
*** Invalid integer input: 6
Fatal Error, Quitting..

Anyone see anything wrong with the rule construction?

What is very odd is that after commenting out the above rule, snort starts
and runs fine and reflects five other threshold rules that are constructed
in what appears to be the same way. 

What am I missing?

Rich




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]