[Snort-users] How to threshold ALL sigs

Turnbough, Bradley E. bturnbough at ...15650...
Thu May 29 09:58:25 EDT 2014


________________________________
From: Russ Combs (rucombs) [rucombs at ...589...]
Sent: Thursday, May 29, 2014 8:03 AM
To: Joel Esler (jesler); waldo kitty
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How to threshold ALL sigs


________________________________
From: Joel Esler (jesler)
Sent: Thursday, May 29, 2014 8:44 AM
To: waldo kitty
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How to threshold ALL sigs

On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:

no ya don't ;)  you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

kinda.  detection_filter doesn’t limit the number of alerts like threshold did.  That’s still threshold.

* threshold is deprecated:

-- use detection_filter in a rule to prevent it from generating events until the limit is reached

-- use event_filter outside a rule to limit the number of events logged

See README.filters for details.




Works like a charm.  Thanks all!
_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.




More information about the Snort-users mailing list