[Snort-sigs] Current VRT keeps using threshold (in rule)?

Patrick Mullen pmullen at ...435...
Thu Apr 15 09:34:25 EDT 2010


On Wed, Apr 14, 2010 at 5:28 PM, Javier Romero <javier at ...3487...> wrote:
> Does anybody know why there still are non-supported signatures in the
> current VRT rules?

To provide a little insight into the Rube Goldberg machine, I'd like
to explain this one a bit --

Honestly, that warning is a bit misleading.  The threshold rules that
were direct translations to detection_filter were already translated.
The remaining rules with the threshold option need to be replaced
either with event_filter as the intent of the threshold was to limit
reporting or with a combination of detection_filter and event_filter
to both provide a threshold before triggering and to limit the number
of times an alert is seen.

The rules that require event_filter to remove the current threshold
have not been translated because we are working on the best way to
provide the event_filter information to our customers (this includes
all snort users, of course).  In the mean time, threshold works as it
always has.


Thanks,

~Patrick




More information about the Snort-sigs mailing list