[Snort-users] How to threshold ALL sigs

Russ Combs (rucombs) rucombs at ...589...
Thu May 29 09:03:20 EDT 2014

From: Joel Esler (jesler)
Sent: Thursday, May 29, 2014 8:44 AM
To: waldo kitty
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How to threshold ALL sigs

On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:

no ya don't ;)  you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

kinda.  detection_filter doesn’t limit the number of alerts like threshold did.  That’s still threshold.

* threshold is deprecated:

-- use detection_filter in a rule to prevent it from generating events until the limit is reached

-- use event_filter outside a rule to limit the number of events logged

See README.filters for details.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140529/4c7d0a5a/attachment.html>

More information about the Snort-users mailing list