[Snort-sigs] Question About Threshholds

Alex Kirk akirk at ...435...
Wed Mar 20 17:36:08 EDT 2013

First of all, the "threshold" keyword is deprecated in favor of

That said, detection_filter depends on whether you're running the rule as
an "alert" or "drop" rule. In both cases, you won't actually get an event
until you reach the threshold specified by the keyword; if it's a drop sig,
it won't begin to drop until that point in time, either - but will continue
dropping packets until the timeout on the keyword is reached. For example,
"detection_filter:track by_src, count 10, seconds 30" would just be
incrementing an internal counter until the 10th matching packet, which
would then be dropped; if that occurred at, say, 5 seconds after the 1st
matching packet, any packets matching the rule for the next 25 seconds
would be dropped and would generate an event. At second 30.00000001, the
counter is reset and you start from scratch.

You may also want to look at event_filter (
http://manual.snort.org/node19.html#event_filtering), which only impacts
the number of events generated. That's probably closer to what you want,
given that you were using "limit" from the "threshold" keyword. Note,
however, that event_filters are specified outside of the rule itself, in
your snort.conf.

On Wed, Mar 20, 2013 at 11:40 AM, Miso Patel <miso.patel at ...2420...> wrote:

> I apologize for a simple question but I was hoping for some clarity on a
> situation from my engineers.
> If a Snort signature is threshold (using the "limit" option), does this
> just limit alerts and does the dropping of this traffic if this rule is
> written to drop and the Snort is in "IPS mode" still happen even if the
> threshold is causing not all alerts to be generated?
> I think it does  but the Snort manual does not make this clear or I am not
> reading the right pages.
> Thanks.
> -Miso, CISO
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130320/87bfc0bb/attachment.html>

More information about the Snort-sigs mailing list