[Snort-sigs] Current VRT keeps using threshold (in rule)?
pmullen at ...435...
Thu Apr 15 09:34:25 EDT 2010
On Wed, Apr 14, 2010 at 5:28 PM, Javier Romero <javier at ...3487...> wrote:
> Does anybody know why there still are non-supported signatures in the
> current VRT rules?
To provide a little insight into the Rube Goldberg machine, I'd like
to explain this one a bit --
Honestly, that warning is a bit misleading. The threshold rules that
were direct translations to detection_filter were already translated.
The remaining rules with the threshold option need to be replaced
either with event_filter as the intent of the threshold was to limit
reporting or with a combination of detection_filter and event_filter
to both provide a threshold before triggering and to limit the number
of times an alert is seen.
The rules that require event_filter to remove the current threshold
have not been translated because we are working on the best way to
provide the event_filter information to our customers (this includes
all snort users, of course). In the mean time, threshold works as it
More information about the Snort-sigs