Feature #610
closed
track by_src exluding port
Added by Michael H over 11 years ago.
Updated over 6 years ago.
Description
Hello,
for some of my rules it might be important to track by_src excluding the src port which does not matter.
Maybe this is for other users useful too?
Regards
Michael
source port is not considered in track "by_src"
Ok, but destination port is? The problem is an udp flood with random source and random destination ports.
No, by_src and by_dst only track by ip.
Hm, ok i think you are right but then i hit another problem which i maybe better post on the mailinglist?!
the following rule triggers but do not drop the flood, the full flood hits the target (shown in iftop).
drop ip any any -> any any (msg:"more then 200 in 1 seconds"; threshold: type both, track by_src, seconds 1, count 200;sid:2; rev:1;)
- Target version set to TBD
- Status changed from New to Closed
Please open a dedicated issue for that
- Target version deleted (
TBD)
Also available in: Atom
PDF