[Snort-sigs] help with time in rules
wkitty42 at ...3507...
Tue Nov 6 20:42:17 EST 2012
On 11/6/2012 04:01, Jose A. wrote:
> I have a question when i want to develop a rule in snort.
> It is possible to specify the time and the number of events in the rule?
> For example, create an alarm when the same event occurs within two minutes 10 times.
yes, that's the threshold keyword... however, threshold has been deprecated and
there are other keywords to use... the new keywords are
detection_filter: track <by_src|by_dst>, count <c>, seconds <s>;
event_filter gen_id <gid>, sig_id <sid>, type <limit|threshold|both>, track
<by_src|by_dst>, count <c>, seconds <s>
detection_filter is the one for use in the rule itself... event_filter is for
use in the threshold file (if i'm reading the documentation properly)...
one reason why threshold in the rule was deprecated was because there are/were
two meanings for it... there is also a threshold file that can be used to limit
rules and those two meanings were easily confused... however, the last time i
checked, you could not threshold (the file) a rule that already used threshold
in the rule... being able to do this would be a GoodThing<tm> in some cases,
More information about the Snort-sigs