[Snort-users] Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule

Full Name subaru279 at ...722...
Mon May 8 18:15:16 EDT 2017


Greetings, I'm having issues performing local rule imports on my FirePOWER devices. It doesn't seem to like the threshold filter and recommends me to use the detection_filter instead (See error below). Am I doing something wrong or is there a way to bypass or allow rule imports with the threshold filter?

Local Rule Import Error: "threshold (in rule) is deprecated; use detection_filter instead. in rule"  

Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)

>From the research it seem Threshold filters are no longer supported. If so why is it still being utilized? Thanks
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

Regards,
Mike




More information about the Snort-users mailing list