[Snort-users] How to threshold ALL sigs

Nicholas Mavis (nmavis) nmavis at ...589...
Wed May 28 15:29:15 EDT 2014


Bradley,

Snort does have global thresholding. Please refer to Event Filtering in
the following link:

http://manual.snort.org/node19.html#SECTION00342000000000000000

Using gen_id 0, sig_id 0 is used to specify a global threshold applying to
all rules.

Nick

On 5/28/14, 3:23 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>
wrote:

>The best thing to do, if you aren't interested in Snort alerting on this
>traffic is to use a BPF to not pass it to Snort in the first place.  If
>you can't do that, or don't want to, then perhaps a custom pass rule? (or
>rather probably two, one for each direction.)
>
>
>-----Original Message-----
>From: Turnbough, Bradley E. [mailto:bturnbough at ...15650...]
>Sent: May 28, 2014 11:49 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] How to threshold ALL sigs
>
>Hi All,
>
>Is there a way to threshold ALL sig alerts, but doing so based upon
>source IP and dest ip (session aware)?
>
>Before thresholding:
>
>sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------>
>destipA  ---- Alert A #2 10:29:26 sourceipA ------> destipA  ---- Alert A
>#3 10:29:39 sourceipB ------> destipA  ---- Alert A #4 10:29:42 sourceipB
>------> destipA  ---- Alert A #5 10:29:55 sourceipB ------> destipA  ----
>Alert A #6 10:30:12
>
>After thresholding:
>
>sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------>
>destipA  ---- Alert A #2 10:29:26 ------ not logged (thresholded)
>sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged
>(thresholded) sourceipB ------> destipA  ---- Alert A #4 10:29:42
>sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged
>(thresholded) sourceipB ------> destipA  ---- Alert A #6 10:30:12------
>not logged (thresholded)
>
>I want to basically write one rule / threshold for this.  I don't want to
>maintain a huge library of thresholds.  Any ideas?
>
>
>
>Thanks,
>
>Brad
>_____________________________________________________________ This e-mail
>transmission contains information that is confidential and may be
>privileged. It is intended only for the addressee(s) named above. If you
>receive this e-mail in error, please do not read, copy or disseminate it
>in any manner. If you are not the intended recipient, any disclosure,
>copying, distribution or use of the contents of this information is
>prohibited. Please reply to the message immediately by informing the
>sender that the message was misdirected. After replying, please erase it
>from your computer system. Your assistance in correcting this error is
>appreciated.
>
>--------------------------------------------------------------------------
>----
>Time is money. Stop wasting it! Get your web API in 5 minutes.
>www.restlet.com/download
>http://p.sf.net/sfu/restlet
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!
>
>--------------------------------------------------------------------------
>----
>Time is money. Stop wasting it! Get your web API in 5 minutes.
>www.restlet.com/download
>http://p.sf.net/sfu/restlet
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!





More information about the Snort-users mailing list