Re: [Snort-inline-users] drop rules with thresholding

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The problem still exist but I have kind of solved the problem at least a 
bit for my own sake i think. That is with a little workaround.
By using a combination of alert and sticky-drop i almost achieve what i 
want.
The almost part of it is that sticky-drop seem to drop forever and not 
any 30 seconds as it should but atleast now i can drop packets with 
thresholding rules.
The example rule i got to work.
alert udp any any -> any any \
(msg:"sticky drop p\uffff alla invite minsann"; content:"INVITE"; 
depth:10; sticky-drop: 30,src; \
threshold: type both , track by_src, count 5, seconds 30; \
classtype:misc-attack; sid:5000101; rev:1;)

Will Metcalf wrote:
>
> I will look into it when I get home tonight.  btw we are looking for 
> 2.6.0.2 <http://2.6.0.2> beta testers if anyone is interested. Victor 
> did a lot of work revamping the stream reassembler stream4inline in 
> this release.
>
> Regards,
>
> Will
> On 12/13/06, *David Gunnarsson* < gu...@in... 
> <mailto:gu...@in...>> wrote:
>
>     I am using snort/snort_inline 2.4.5 from
>     http://snort-inline.sourceforge.net/.
>     b.t.w. if it matters,  I use netfilter_queue and not ip_queue.
>
>     regards David Gunnarsson
>
>
>     Will Metcalf wrote:
>     > what version of the snort/snort_inline are you using?
>     >
>     > On 12/13/06, *David Gunnarsson* < gu...@in...
>     <mailto:gu...@in...>
>     > <mailto: gu...@in... <mailto:gu...@in...>>> wrote:
>     >
>     >     I'm having a problem with DROP-rules containing thresholds.
>     It seems
>     >     like if the threshold is ignored when dropping.
>     >
>     >     example problem rule:
>     >     drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
>     >     (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \
>     >     threshold: type both , track by_src, count 5, seconds 60; \
>     >     sid:5000004; rev:1;)
>     >
>     >
>     >     This rule just drops all packets that content-matches regardless
>     >     of how
>     >     many packet and in what time interval they come.
>     >     It is however logged as usual after 5 invites within a
>     minute just as
>     >     with alert instead of drop.
>     >     Is it not possible to do inline protection/mitigation from
>     flooding
>     >     attacks but just pure content matching?
>     >     regard David G
>     >
>     >    
>     -------------------------------------------------------------------------
>
>     >
>     >     Take Surveys. Earn Cash. Influence the Future of IT
>     >     Join SourceForge.net's Techsay panel and you'll get the
>     chance to
>     >     share your
>     >     opinions on IT & business topics through brief surveys - and
>     earn cash
>     >    
>     http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>     <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
>     >     <
>     http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>     <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>>
>     >     _______________________________________________
>     >     Snort-inline-users mailing list
>     >     Sno...@li...
>     <mailto:Sno...@li...>
>     >     <mailto:Sno...@li...
>     <mailto:Sno...@li...>>
>     >     https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>     >
>     >
>
>