[Snort-users] Event_filters don't work with in-rule threshold filters.

fatema bannatwala fatema.bannatwala at ...11827...
Mon Apr 25 11:30:50 EDT 2016


I am a new snort user, and started looking at some alerts. I wanted to
customize the rules threshold by defining stand-alone event_filter in
threshold.config file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable
those event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork,
I noticed that the rules that I was trying to write event_filter for, have
in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't
specify event_filters for the rules that already have "threshold command"
defined inside the rules".
And I think that's the problem and that's why snort fails to start when I
try to define stand-alone event filters for the rules having threshold
defined inside the rules.

So I wanted to ask that what's the correct way to limit some rules alerts
that already have threshold defined in them? (I have many rules for which I
would really like to define event_filters to limit the logged alerts, but
am not able to do that).

I apologize if this is already been discussed in some other thread (any
pointer to the same would be appreciated).
Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160425/c154d75c/attachment.html>

More information about the Snort-users mailing list