[Snort-users] How to threshold ALL sigs

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed May 28 15:48:55 EDT 2014


Yes, but that doesn't work for a SRC<->DEST type suppression.  You can only make Snort blind to ALL things from that IP.  You need to use BPF to do a SRC<->DEST suppression (basically not sending that traffic to snort at all.)

-----Original Message-----
From: Nicholas Mavis (nmavis) [mailto:nmavis at ...589...] 
Sent: May 28, 2014 12:29 PM
To: Jefferson, Shawn; Turnbough, Bradley E.; snort-users at ...3783...net
Subject: Re: [Snort-users] How to threshold ALL sigs

Bradley,

Snort does have global thresholding. Please refer to Event Filtering in the following link:

http://manual.snort.org/node19.html#SECTION00342000000000000000

Using gen_id 0, sig_id 0 is used to specify a global threshold applying to all rules.

Nick

On 5/28/14, 3:23 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>
wrote:

>The best thing to do, if you aren't interested in Snort alerting on 
>this traffic is to use a BPF to not pass it to Snort in the first 
>place.  If you can't do that, or don't want to, then perhaps a custom 
>pass rule? (or rather probably two, one for each direction.)
>
>
>-----Original Message-----
>From: Turnbough, Bradley E. [mailto:bturnbough at ...15650...]
>Sent: May 28, 2014 11:49 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] How to threshold ALL sigs
>
>Hi All,
>
>Is there a way to threshold ALL sig alerts, but doing so based upon 
>source IP and dest ip (session aware)?
>
>Before thresholding:
>
>sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------> 
>destipA  ---- Alert A #2 10:29:26 sourceipA ------> destipA  ---- Alert 
>A
>#3 10:29:39 sourceipB ------> destipA  ---- Alert A #4 10:29:42 
>sourceipB
>------> destipA  ---- Alert A #5 10:29:55 sourceipB ------> destipA  
>------> ----
>Alert A #6 10:30:12
>
>After thresholding:
>
>sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------> 
>destipA  ---- Alert A #2 10:29:26 ------ not logged (thresholded) 
>sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged
>(thresholded) sourceipB ------> destipA  ---- Alert A #4 10:29:42 
>sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged
>(thresholded) sourceipB ------> destipA  ---- Alert A #6 10:30:12------ 
>not logged (thresholded)
>
>I want to basically write one rule / threshold for this.  I don't want 
>to maintain a huge library of thresholds.  Any ideas?
>
>
>
>Thanks,
>
>Brad
>_____________________________________________________________ This 
>e-mail transmission contains information that is confidential and may 
>be privileged. It is intended only for the addressee(s) named above. If 
>you receive this e-mail in error, please do not read, copy or 
>disseminate it in any manner. If you are not the intended recipient, 
>any disclosure, copying, distribution or use of the contents of this 
>information is prohibited. Please reply to the message immediately by 
>informing the sender that the message was misdirected. After replying, 
>please erase it from your computer system. Your assistance in 
>correcting this error is appreciated.
>
>-----------------------------------------------------------------------
>---
>----
>Time is money. Stop wasting it! Get your web API in 5 minutes.
>www.restlet.com/download
>http://p.sf.net/sfu/restlet
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest 
>Snort news!
>
>-----------------------------------------------------------------------
>---
>----
>Time is money. Stop wasting it! Get your web API in 5 minutes.
>www.restlet.com/download
>http://p.sf.net/sfu/restlet
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest 
>Snort news!





More information about the Snort-users mailing list