From: David G. <gu...@in...> - 2006-12-14 11:39:30
|
The problem still exist but I have kind of solved the problem at least a bit for my own sake i think. That is with a little workaround. By using a combination of alert and sticky-drop i almost achieve what i want. The almost part of it is that sticky-drop seem to drop forever and not any 30 seconds as it should but atleast now i can drop packets with thresholding rules. The example rule i got to work. alert udp any any -> any any \ (msg:"sticky drop p\uffff alla invite minsann"; content:"INVITE"; depth:10; sticky-drop: 30,src; \ threshold: type both , track by_src, count 5, seconds 30; \ classtype:misc-attack; sid:5000101; rev:1;) Will Metcalf wrote: > > I will look into it when I get home tonight. btw we are looking for > 2.6.0.2 <http://2.6.0.2> beta testers if anyone is interested. Victor > did a lot of work revamping the stream reassembler stream4inline in > this release. > > Regards, > > Will > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...>> wrote: > > I am using snort/snort_inline 2.4.5 from > http://snort-inline.sourceforge.net/. > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > regards David Gunnarsson > > > Will Metcalf wrote: > > what version of the snort/snort_inline are you using? > > > > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...> > > <mailto: gu...@in... <mailto:gu...@in...>>> wrote: > > > > I'm having a problem with DROP-rules containing thresholds. > It seems > > like if the threshold is ignored when dropping. > > > > example problem rule: > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > > threshold: type both , track by_src, count 5, seconds 60; \ > > sid:5000004; rev:1;) > > > > > > This rule just drops all packets that content-matches regardless > > of how > > many packet and in what time interval they come. > > It is however logged as usual after 5 invites within a > minute just as > > with alert instead of drop. > > Is it not possible to do inline protection/mitigation from > flooding > > attacks but just pure content matching? > > regard David G > > > > > ------------------------------------------------------------------------- > > > > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the > chance to > > share your > > opinions on IT & business topics through brief surveys - and > earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > <mailto:Sno...@li...> > > <mailto:Sno...@li... > <mailto:Sno...@li...>> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > |