[Snort-users] Event_filters don't work with in-rule threshold filters.

Y M snort at ...15979...
Mon Apr 25 16:03:24 EDT 2016

Or you can use the modifysid.conf to completely remove the event_filter or modify its value per-rule to the desired value.


From: fatema bannatwala <fatema.bannatwala at ...11827...>
Sent: Monday, April 25, 2016 5:43 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Event_filters don't work with in-rule threshold filters.

Thanks WKitty42 for the quick response.
For some reason, I didn't get the reply in my inbox, was surfing the internet and got to read there.

I don't see any error logging in the snort log file, I think I have to enable the debugging mode for the same.

We are running snort in production, and daily the updated list of the ruled get pulled by pulledpork, so even if I comment the rules out in the original .rules file, it will get updated with the un-commented version next morning .

I think I will go with the option of disabling the sid using disablesid.conf file and then editing the original rule in local.rules file with new sids.
Thank you for the suggestion, but I feel that if we can't define stand-alone event_filters for the rules we want (just because rules already have threshold defined in them), it forfeits the whole purpose of introducing the stand-alone event_filter feature :( (Yes, it can be useful as global filters, but not for fine-grained control over specific rules)



On Mon, Apr 25, 2016 at 11:30 AM, fatema bannatwala <fatema.bannatwala at ...391...1827...<mailto:fatema.bannatwala at ...11827...>> wrote:

I am a new snort user, and started looking at some alerts. I wanted to customize the rules threshold by defining stand-alone event_filter in threshold.config file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable those event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork, I noticed that the rules that I was trying to write event_filter for, have in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't specify event_filters for the rules that already have "threshold command" defined inside the rules".
And I think that's the problem and that's why snort fails to start when I try to define stand-alone event filters for the rules having threshold defined inside the rules.

So I wanted to ask that what's the correct way to limit some rules alerts that already have threshold defined in them? (I have many rules for which I would really like to define event_filters to limit the logged alerts, but am not able to do that).

I apologize if this is already been discussed in some other thread (any pointer to the same would be appreciated).
Thanks in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160425/adddfb74/attachment.html>

More information about the Snort-users mailing list