Snort mailing list archives
Re: Current VRT keeps using threshold (in rule)?
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 15 Apr 2010 09:34:25 -0400
On Wed, Apr 14, 2010 at 5:28 PM, Javier Romero <javier () jacksecurity com> wrote:
Does anybody know why there still are non-supported signatures in the current VRT rules?
To provide a little insight into the Rube Goldberg machine, I'd like to explain this one a bit -- Honestly, that warning is a bit misleading. The threshold rules that were direct translations to detection_filter were already translated. The remaining rules with the threshold option need to be replaced either with event_filter as the intent of the threshold was to limit reporting or with a combination of detection_filter and event_filter to both provide a threshold before triggering and to limit the number of times an alert is seen. The rules that require event_filter to remove the current threshold have not been translated because we are working on the best way to provide the event_filter information to our customers (this includes all snort users, of course). In the mean time, threshold works as it always has. Thanks, ~Patrick ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Current VRT keeps using threshold (in rule)? Javier Romero (Apr 14)
- Re: Current VRT keeps using threshold (in rule)? Joel Esler (Apr 14)
- Re: Current VRT keeps using threshold (in rule)? Patrick Mullen (Apr 15)