[Snort-sigs] help with time in rules

waldo kitty wkitty42 at ...3507...
Tue Nov 6 20:42:17 EST 2012


On 11/6/2012 04:01, Jose A. wrote:
> Hello!
>
> I have a question when i want to develop a rule in snort.
>
> It is possible to specify the time and the number of events in the rule?
>
> For example, create an alarm when the same event occurs within two minutes 10 times.


yes, that's the threshold keyword... however, threshold has been deprecated and 
there are other keywords to use... the new keywords are

     detection_filter: track <by_src|by_dst>, count <c>, seconds <s>;

     event_filter gen_id <gid>, sig_id <sid>, type <limit|threshold|both>, track 
<by_src|by_dst>, count <c>, seconds <s>

detection_filter is the one for use in the rule itself... event_filter is for 
use in the threshold file (if i'm reading the documentation properly)...


one reason why threshold in the rule was deprecated was because there are/were 
two meanings for it... there is also a threshold file that can be used to limit 
rules and those two meanings were easily confused... however, the last time i 
checked, you could not threshold (the file) a rule that already used threshold 
in the rule... being able to do this would be a GoodThing<tm> in some cases, 
though...





More information about the Snort-sigs mailing list