From: Will M. <wil...@gm...> - 2006-12-13 19:59:03
|
I will look into it when I get home tonight. btw we are looking for 2.6.0.2beta testers if anyone is interested. Victor did a lot of work revamping the stream reassembler stream4inline in this release. Regards, Will On 12/13/06, David Gunnarsson <gu...@in...> wrote: > > I am using snort/snort_inline 2.4.5 from > http://snort-inline.sourceforge.net/. > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > regards David Gunnarsson > > > Will Metcalf wrote: > > what version of the snort/snort_inline are you using? > > > > On 12/13/06, *David Gunnarsson* <gu...@in... > > <mailto: gu...@in...>> wrote: > > > > I'm having a problem with DROP-rules containing thresholds. It seems > > like if the threshold is ignored when dropping. > > > > example problem rule: > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > > threshold: type both , track by_src, count 5, seconds 60; \ > > sid:5000004; rev:1;) > > > > > > This rule just drops all packets that content-matches regardless > > of how > > many packet and in what time interval they come. > > It is however logged as usual after 5 invites within a minute just > as > > with alert instead of drop. > > Is it not possible to do inline protection/mitigation from flooding > > attacks but just pure content matching? > > regard David G > > > > > ------------------------------------------------------------------------- > > > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys - and earn > cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > |