Re: Current VRT keeps using threshold (in rule)?

[Patrick Mullen <pmullen () sourcefire com>]

On Wed, Apr 14, 2010 at 5:28 PM, Javier Romero <javier () jacksecurity com> wrote:
> Does anybody know why there still are non-supported signatures in the
> current VRT rules?

To provide a little insight into the Rube Goldberg machine, I'd like
to explain this one a bit --

Honestly, that warning is a bit misleading.  The threshold rules that
were direct translations to detection_filter were already translated.
The remaining rules with the threshold option need to be replaced
either with event_filter as the intent of the threshold was to limit
reporting or with a combination of detection_filter and event_filter
to both provide a threshold before triggering and to limit the number
of times an alert is seen.

The rules that require event_filter to remove the current threshold
have not been translated because we are working on the best way to
provide the event_filter information to our customers (this includes
all snort users, of course).  In the mean time, threshold works as it
always has.


Thanks,

~Patrick

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs