[Snort-users] threshold.conf - event_filter dificulties.

Jean-Pierre Zurbrügg jp.zurbrugg at ...14527...
Tue Apr 14 14:16:37 EDT 2015

Hello Everyone,
Thanks for the link(http://manual.snort.org/node19.html#SECTION00342000000000000000). In it I read that rule event_filters take precedence over global rules.
I've been reviewing our setup and we have this example:
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:14;)

This rule doesn't have any event_filters and still triggers many events within a second. This is while having the following global event_filter:event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 15
The generated alerts come from the same src IP and go towards the same destination IP.

Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150414/5e337a50/attachment.html>

More information about the Snort-users mailing list