[Oisf-users] Configure Suricata drop rule to drop whole source
First Root | Michael
mh at first-root.com
Fri Aug 22 17:59:21 UTC 2014
Hello Cooper,
thanks for your response.
but if i adjust the threshold value it also highers the period in which the counter is increased?
Simply spoken, isn't there a way to create a rule that triggers if threshold count 10 in 10 seconds and then drop it for 60 seconds?
Regards
Michael
Am 22.08.2014 um 19:54 schrieb Cooper F. Nelson <cnelson at ucsd.edu>:
> Signierter PGP Teil
> You are telling suricata to only drop traffic for 10 seconds via the
> threshold rule. You probably shouldn't use thresholding for 'drop'
> rules unless you are trying to drop floods/DOS or attempting to do some
> kind of rate-shaping.
>
> If you really want to drop all port 80 traffic try this rule:
>
> > drop tcp any any -> any 80 (msg:"Local DROP Tcp port 80"; flow:from_client; sid:1;)
>
> -Coop
>
> On 8/22/2014 10:43 AM, First Root | Michael wrote:
> > Hello Cooper,
> >
> > thanks for your response.
> > it is not the case that i simply want to drop specific traffic, but this
> > was the easiest way to show what my problem is ;).
> >
> > Is there any way to define how long the drop is valid as i asked in my
> > last email?
> >
> > Regards
> > Michael
> >
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140822/bc3eaefc/attachment-0002.html>
More information about the Oisf-users
mailing list