[Snort-sigs] snort-rules CURRENT update @ Fri Dec 5 13:15:18 2003

bmc at ...95... bmc at ...95...
Fri Dec 5 10:16:03 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "snort.conf":
       # lots of options available here. See doc/README.http_inspect.
       # unicode.map should be wherever your snort.conf lives, or given
       # a full path to where snort can find it.
       #	output-mode msg \
       # Include any thresholding or suppression commands
       include thresh.conf

  [---]      Removed lines:      [---]
    -> File "snort.conf":
       # Configure Thresholding and Suppression
       # ======================================
       # Thresholding:
       # This feature is used to reduce the number of logged alerts for noisy rules.
       # This can be tuned to significantly reduce false alarms, and it can also be
       # used to write a newer breed of rules. Thresholding commands limit the number
       # of times a particular event is logged during a specified time interval.
       # There are 3 types of thresholding:
       #        1) Limit
       #           Alert on the 1st M events during the time interval, then ignore events
       #           for the rest of the time interval.
       #        2) Threshold
       #           Alert every M times we see this event during the time interval.
       #        3) Both
       #           Alert once per time interval after seeing M occurrences of the event,
       #           then ignore any additional events during the time interval.
       # Threshold commands are formatted as:
       # threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
       # by_src|by_dst, count n , seconds m
       # Limit to logging 1 event per 60 seconds
       # threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60
       # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
       # each rule (rules are gen_id 1).
       # threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
       # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
       # any alert for any event generator
       # threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
       # Thresholding do not have to be stand-alone commands, and can also be applied
       # to a rule. Please read README.thresholding for more information on
       # thresholding.
       # Suppression:
       # Suppression commands are standalone commands that reference generators and
       # sids and IP addresses via a CIDR block. This allows a rule to be completely
       # suppressed, or suppressed when the causitive traffic is going to or comming
       # from a specific IP or group of IP addresses.
       #  Suppress this event completely
       # suppress gen_id 1, sig_id 1852
       #  Suppress this event from this IP
       # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
       #  Suppress this event to this CIDR block
       # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
       # lots of options available here. See doc/README.http_inspect
       #	output-mode pktkludge \

[*] Files added (consider updating your snort.conf to include them): [*]
    -> thresh.conf





More information about the Snort-sigs mailing list