[Snort-users] threshold.conf - event_filter dificulties.

Y M snort at ...15979...
Fri Apr 10 22:51:31 EDT 2015

My understanding is that the local rule thresholds takes precedence over the global ones.
If you need a global threshold you can use something like:
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
The "gen_id 0" "sid_id 0" will denote this event_filter as global. More information here:
Go over the paragraph above the examples section.

From: jp.zurbrugg at ...14527...
To: snort-users at lists.sourceforge.net
Date: Fri, 10 Apr 2015 08:54:24 -0400
Subject: [Snort-users] threshold.conf - event_filter dificulties.

Hello everyone,
Current setup:
Ubuntu 12.04.5 LTS  3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/LinuxSnort Version GRE (Build 177)Using PCRE version: 8.12 2011-01-15Using ZLIB version: options: ./configure --enable-sourcefiremakesudo make install
pulledpork was used to update rules, config:
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oink code>rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|openrule_url=https://www.snort.org/reg-rules/|opensource.gz|<oink code>rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|openignore=deleted.rules,experimental.rules,local.rulestemp_path=/tmprule_path=/etc/snort/rules/snort.ruleslocal_rules=/etc/snort/rules/local.rulessid_msg=/etc/snort/sid-msg.mapsid_msg_version=2sid_changelog=/var/log/sid_changes.logsorule_path=/usr/local/lib/snort_dynamicrules/snort_path=/usr/local/bin/snortconfig_path=/etc/snort/snort.confdistro=Ubuntu-10-4black_list=/etc/snort/rules/iplists/default.blacklistIPRVersion=/etc/snort/rules/iplistssnort_control=/usr/local/bin/snort_control enablesid=/etc/snort/enablesid.conf dropsid=/etc/snort/dropsid.conf disablesid=/etc/snort/disablesid.conf modifysid=/etc/snort/modifysid.confversion=0.7.0
We are trying to setup a global event_filter in hopes of controlling the amount of duplicated events that get fired from the same src\dst per second.We see a bunch of alerts being fired multiple times whithin the same timestamp.
Steps taken:edit /etc/snort/threshold.conf:-------add line: event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 15**** We have also tried track by dst and also tried individual event_filter by rule gen\sig.**** We have also tried using the deprecated 'threshold command'
edit /etc/snort/snort.conf------ verify that we have this line added: include threshold.conf
Run snort with following command: snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Confirm we see the following lines in the output:
Apr 9 09:22:15 nth-garbage snort[398]: +-----------------------[event-filter-global]----------------------------------Apr 9 09:22:15 nth-garbage snort[398]: | gen-id=global sig-id=global type=Limit     tracking=src count=1   seconds=15Apr 9 09:22:15 nth-garbage snort[398]: +-----------------------[event-filter-local]-----------------------------------******************************* VERY LONG LIST OF EVENT-FILTER RULES HERE **************************

We don't know what we are doing wrong. Events of the same rule get fired multiple times within the same second. Examples:
gen 1 \ sig 2014473 --- ET INFO JAVA - Java Archive Download By Vulnerable Client         gen 1 \ sig 21646 ---EXPLOIT-KIT Blackhole exploit kit landing page with specific structure[...]
Which event_filter takes priority, a Global or a local event filter? 
Any tips would be greatly appreciated!
Thanks in advance. 		 	   		  

BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150411/cd18321e/attachment.html>

More information about the Snort-users mailing list