[Snort-users] Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule

Joel Esler (jesler) jesler at ...589...
Tue May 9 07:10:43 EDT 2017


You can unsubscribe by following the directions at the bottom of every email.  

--
Sent from my iPhone

> On May 9, 2017, at 03:24, Sergio Fenech <sergiofenech at ...14527...> wrote:
> 
> Guys please can you get me out of this email chain??
> 
> On 09/05/2017, 00:26, "Joel Esler (jesler)" <jesler at ...589...> wrote:
> 
>    Well, first, this rule isn’t an official rule, this is an Emerging Threats rule.  We don’t use any threshold keywords in the official ruleset (that comes on your firepower device).  We use detection_filter.
> 
>    I am not sure why ET hasn’t switched to detection_filter.  They certainly should.
> 
> 
> 
> 
>    --
>    Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>
> 
> 
> 
> 
> 
> 
>    On May 8, 2017, at 6:15 PM, Full Name <subaru279 at ...722...<mailto:subaru279 at ...722...>> wrote:
> 
>    Greetings, I'm having issues performing local rule imports on my FirePOWER devices. It doesn't seem to like the threshold filter and recommends me to use the detection_filter instead (See error below). Am I doing something wrong or is there a way to bypass or allow rule imports with the threshold filter?
> 
>    Local Rule Import Error: "threshold (in rule) is deprecated; use detection_filter instead. in rule"
> 
>    Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com<http://discover.com>"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com<http://discover.com>|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)
> 
>    From the research it seem Threshold filters are no longer supported. If so why is it still being utilized? Thanks
>    http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html
> 
>    Regards,
>    Mike
> 
>    ------------------------------------------------------------------------------
>    Check out the vibrant tech community on one of the world's most
>    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>    _______________________________________________
>    Snort-users mailing list
>    Snort-users at lists.sourceforge.net
>    Go to this URL to change user options or unsubscribe:
>    https://lists.sourceforge.net/lists/listinfo/snort-users
>    Snort-users list archive:
>    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
>    Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
>    ------------------------------------------------------------------------------
>    Check out the vibrant tech community on one of the world's most
>    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>    _______________________________________________
>    Snort-users mailing list
>    Snort-users at lists.sourceforge.net
>    Go to this URL to change user options or unsubscribe:
>    https://lists.sourceforge.net/lists/listinfo/snort-users
>    Snort-users list archive:
>    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
>    Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 




More information about the Snort-users mailing list