[Snort-users] Event_filters don't work with in-rule threshold filters.
fatema.bannatwala at ...11827...
Mon Apr 25 11:30:50 EDT 2016
I am a new snort user, and started looking at some alerts. I wanted to
customize the rules threshold by defining stand-alone event_filter in
threshold.config file for specific gid and sid.
I realized that after doing that, snort doesn't start and when I disable
those event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork,
I noticed that the rules that I was trying to write event_filter for, have
in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't
specify event_filters for the rules that already have "threshold command"
defined inside the rules".
And I think that's the problem and that's why snort fails to start when I
try to define stand-alone event filters for the rules having threshold
defined inside the rules.
So I wanted to ask that what's the correct way to limit some rules alerts
that already have threshold defined in them? (I have many rules for which I
would really like to define event_filters to limit the logged alerts, but
am not able to do that).
I apologize if this is already been discussed in some other thread (any
pointer to the same would be appreciated).
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users