[Snort-users] How to threshold ALL sigs

waldo kitty wkitty42 at ...14940...
Wed May 28 22:32:23 EDT 2014


On 5/28/2014 2:49 PM, Turnbough, Bradley E. wrote:

> After thresholding:
>
> sourceipA ------> destipA  ---- Alert A #1 10:29:15
> sourceipA ------> destipA  ---- Alert A #2 10:29:26 ------ not logged (thresholded)
> sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged (thresholded)
> sourceipB ------> destipA  ---- Alert A #4 10:29:42
> sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged (thresholded)
> sourceipB ------> destipA  ---- Alert A #6 10:30:12------ not logged (thresholded)
>
> I want to basically write one rule / threshold for this.  I don't want to maintain a huge library of thresholds.  Any ideas?

you can threshold in each rule... it isn't called threshold any more, though...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP 
Brute-Force login attempt (1) -- BLOCKED DESTINATION"; 
flow:from_server,established; dsize:<100; content:"530 "; depth:4; 
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; 
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

note the "detection_filter" section then follow up in the docs ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list