[Snort-users] How to threshold ALL sigs

Joel Esler (jesler) jesler at ...589...
Thu May 29 08:44:41 EDT 2014

On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:

no ya don't ;)  you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

kinda.  detection_filter doesn’t limit the number of alerts like threshold did.  That’s still threshold.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140529/e9623ee2/attachment.html>

More information about the Snort-users mailing list