[Snort-users] snort 2.0.2 - Rule Thresholding

JP Vossen vossenjp at ...8683...
Thu Sep 18 16:01:02 EDT 2003

> From: "Marc Norton" <marc.norton at ...1935...>
> To: snort-users at lists.sourceforge.net
> Date: Thu, 18 Sep 2003 08:39:42 -0400
> Subject: [Snort-users] snort 2.0.2 - Rule Thresholding
> The new thresholding feature  supports both rule specific thresholding
> and global thresholding to quiet all of the rules down.  Using global
> thresholding requires you to use a sig_id value of -1 in the 'threshold'
> command instead of a specific rule sig_id .  I am posting this tid bit
> because I don't think the global thresholding made it into the
> documentation.

It didn't. :-)

> The rule specific thresholding and rule suppression is
> documented in the 'doc/README.thresholding' file.

Looks AWESOME!  I can already see some great uses for this.

I have some questions and thoughts:

Do supression commands referencing "an IP address via a CIDR block" support
the [,] list/grouping syntax?  Do they support
varables?  Would these kind of dumb examples work?

suppress gen_id 1, sig_id 521, track by_dst, ip [,]
suppress gen_id 1, sig_id 521, track by_dst, ip $DNS_SERVERS

I assume the "best" ways to implement these features are:
1) Disable the original rule, copy to local.rules and modify.
2) include $RULE_PATH/local.limits

Perhaps the docs could be updated and samples included?  I'd think adding the
include and a bit of docs to snort.conf, and taking the examples and some docs
from README.thresholding to create local.limits would do the trick.

README.thresholding should explain where generator numbers come from and how
to figure out the correct thing to use.  I.e. snort-2.0.2/src/generators.h and
the "1" in [1:234:5] in the logs...

FAQ 3.9 is going to need an overhaul!  Goodby clunky BFP and pass rules (in
some specific cases).

I'd offer to do some samples, but I'm under a couple of deadline so I wouldn't
be able to do it for a couple of weeks...

Anyway, this stuff is going to be great,
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?

More information about the Snort-users mailing list