[Snort-users] Event_filters don't work with in-rule threshold filters.

fatema bannatwala fatema.bannatwala at ...11827...
Mon Apr 25 13:43:20 EDT 2016

Thanks WKitty42 for the quick response.
For some reason, I didn't get the reply in my inbox, was surfing the
internet and got to read there.

I don't see any error logging in the snort log file, I think I have to
enable the debugging mode for the same.

We are running snort in production, and daily the updated list of the ruled
get pulled by pulledpork, so even if I comment the rules out in the
original .rules file, it will get updated with the un-commented version
next morning .

I think I will go with the option of disabling the sid using
disablesid.conf file and then editing the original rule in local.rules file
with new sids.
Thank you for the suggestion, but I feel that if we can't define
stand-alone event_filters for the rules we want (just because rules already
have threshold defined in them), it forfeits the whole purpose of
introducing the stand-alone event_filter feature :( (Yes, it can be useful
as global filters, but not for fine-grained control over specific rules)



On Mon, Apr 25, 2016 at 11:30 AM, fatema bannatwala <
fatema.bannatwala at ...11827...> wrote:

> Hi,
> I am a new snort user, and started looking at some alerts. I wanted to
> customize the rules threshold by defining stand-alone event_filter in
> threshold.config file for specific gid and sid.
> I realized that after doing that, snort doesn't start and when I disable
> those event_filters in threshold.config , snort will start normally.
> After looking into the original rule in .rules files pulled by pulledpork,
> I noticed that the rules that I was trying to write event_filter for, have
> in-rule threshold command limiting the logged alerts.
> When I read the documentation, it doesn't say anything about "you can't
> specify event_filters for the rules that already have "threshold command"
> defined inside the rules".
> And I think that's the problem and that's why snort fails to start when I
> try to define stand-alone event filters for the rules having threshold
> defined inside the rules.
> So I wanted to ask that what's the correct way to limit some rules alerts
> that already have threshold defined in them? (I have many rules for which I
> would really like to define event_filters to limit the logged alerts, but
> am not able to do that).
> I apologize if this is already been discussed in some other thread (any
> pointer to the same would be appreciated).
> Thanks in advance.
> Thanks,
> Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160425/9d3f3d91/attachment.html>

More information about the Snort-users mailing list