[Snort-users] How to threshold ALL sigs

Jeremy Hoel jthoel at ...11827...
Wed May 28 15:46:05 EDT 2014


Wow.. learned something new today.  Awesome.. Thanks Nicholas!


On Wed, May 28, 2014 at 1:29 PM, Nicholas Mavis (nmavis)
<nmavis at ...589...>wrote:

> Bradley,
>
> Snort does have global thresholding. Please refer to Event Filtering in
> the following link:
>
> http://manual.snort.org/node19.html#SECTION00342000000000000000
>
> Using gen_id 0, sig_id 0 is used to specify a global threshold applying to
> all rules.
>
> Nick
>
> On 5/28/14, 3:23 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>
> wrote:
>
> >The best thing to do, if you aren't interested in Snort alerting on this
> >traffic is to use a BPF to not pass it to Snort in the first place.  If
> >you can't do that, or don't want to, then perhaps a custom pass rule? (or
> >rather probably two, one for each direction.)
> >
> >
> >-----Original Message-----
> >From: Turnbough, Bradley E. [mailto:bturnbough at ...15650...]
> >Sent: May 28, 2014 11:49 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] How to threshold ALL sigs
> >
> >Hi All,
> >
> >Is there a way to threshold ALL sig alerts, but doing so based upon
> >source IP and dest ip (session aware)?
> >
> >Before thresholding:
> >
> >sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------>
> >destipA  ---- Alert A #2 10:29:26 sourceipA ------> destipA  ---- Alert A
> >#3 10:29:39 sourceipB ------> destipA  ---- Alert A #4 10:29:42 sourceipB
> >------> destipA  ---- Alert A #5 10:29:55 sourceipB ------> destipA  ----
> >Alert A #6 10:30:12
> >
> >After thresholding:
> >
> >sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------>
> >destipA  ---- Alert A #2 10:29:26 ------ not logged (thresholded)
> >sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged
> >(thresholded) sourceipB ------> destipA  ---- Alert A #4 10:29:42
> >sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged
> >(thresholded) sourceipB ------> destipA  ---- Alert A #6 10:30:12------
> >not logged (thresholded)
> >
> >I want to basically write one rule / threshold for this.  I don't want to
> >maintain a huge library of thresholds.  Any ideas?
> >
> >
> >
> >Thanks,
> >
> >Brad
> >_____________________________________________________________ This e-mail
> >transmission contains information that is confidential and may be
> >privileged. It is intended only for the addressee(s) named above. If you
> >receive this e-mail in error, please do not read, copy or disseminate it
> >in any manner. If you are not the intended recipient, any disclosure,
> >copying, distribution or use of the contents of this information is
> >prohibited. Please reply to the message immediately by informing the
> >sender that the message was misdirected. After replying, please erase it
> >from your computer system. Your assistance in correcting this error is
> >appreciated.
> >
> >--------------------------------------------------------------------------
> >----
> >Time is money. Stop wasting it! Get your web API in 5 minutes.
> >www.restlet.com/download
> >http://p.sf.net/sfu/restlet
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!
> >
> >--------------------------------------------------------------------------
> >----
> >Time is money. Stop wasting it! Get your web API in 5 minutes.
> >www.restlet.com/download
> >http://p.sf.net/sfu/restlet
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Time is money. Stop wasting it! Get your web API in 5 minutes.
> www.restlet.com/download
> http://p.sf.net/sfu/restlet
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140528/5a30f080/attachment.html>


More information about the Snort-users mailing list