Project

General

Profile

Actions
Copy link

Feature #610

closed

track by_src exluding port

Added by Michael H over 11 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
Difficulty:
Label:

Description

Hello,

for some of my rules it might be important to track by_src excluding the src port which does not matter.
Maybe this is for other users useful too?

Regards
Michael

Actions
Copy link
 #1

Updated by Victor Julien over 11 years ago

source port is not considered in track "by_src"

Actions
Copy link
 #2

Updated by Michael H over 11 years ago

Ok, but destination port is? The problem is an udp flood with random source and random destination ports.

Actions
Copy link
 #3

Updated by Victor Julien over 11 years ago

No, by_src and by_dst only track by ip.

Actions
Copy link
 #4

Updated by Michael H over 11 years ago

Hm, ok i think you are right but then i hit another problem which i maybe better post on the mailinglist?!

the following rule triggers but do not drop the flood, the full flood hits the target (shown in iftop).

drop ip any any -> any any (msg:"more then 200 in 1 seconds"; threshold: type both, track by_src, seconds 1, count 200;sid:2; rev:1;)

Actions
Copy link
 #5

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions
Copy link
 #6

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
Actions
Copy link
 #7

Updated by Andreas Herz almost 7 years ago

  • Status changed from New to Closed

Please open a dedicated issue for that

Actions
Copy link
 #8

Updated by Victor Julien over 6 years ago

  • Target version deleted (TBD)
Actions
Copy link

Also available in: Atom PDF