Actions
Feature #610
closedtrack by_src exluding port
Effort:
Difficulty:
Label:
Description
Hello,
for some of my rules it might be important to track by_src excluding the src port which does not matter.
Maybe this is for other users useful too?
Regards
Michael
Updated by Victor Julien over 11 years ago
source port is not considered in track "by_src"
Updated by Michael H over 11 years ago
Ok, but destination port is? The problem is an udp flood with random source and random destination ports.
Updated by Victor Julien over 11 years ago
No, by_src and by_dst only track by ip.
Updated by Michael H over 11 years ago
Hm, ok i think you are right but then i hit another problem which i maybe better post on the mailinglist?!
the following rule triggers but do not drop the flood, the full flood hits the target (shown in iftop).
drop ip any any -> any any (msg:"more then 200 in 1 seconds"; threshold: type both, track by_src, seconds 1, count 200;sid:2; rev:1;)
Updated by Andreas Herz about 7 years ago
- Status changed from New to Closed
Please open a dedicated issue for that
Actions