Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » snort + snortsam + http_inspect

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

snort + snortsam + http_inspect


Posted by thesaint on July 24, 2006 06:54:36

Dear All,

Currently i user snort 2.4 with snortsam plugin, it works very good, but i want to make a rule to block src IP if it cause alert http_inspect more than 5 tyimes in 60 second, so i change my threshold.conf file and add

threshold gen_id 119, sig_id 4, type both, track by_src, count 5, seconds 60 # BARE BYTE UNICODE ENCODING

but how can i redirect the request to snortsam to send block signal, i can't get sid number for BARE BYTE UNICODE ENCODING for example i try to put 119 in sid-block.map but with no help, can any one help me there

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.