Snort mailing list archives
Re: Using detection_filter instead of threshold
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Wed, 27 Oct 2010 11:47:27 -0500
Thanks. Is there any way to do it in the rule itself like back in the salad days? -L0rd C. On Wed, Oct 27, 2010 at 11:05 AM, Joel Esler <jesler () sourcefire com> wrote:
From the README: "Since potentially many events will be generated, a detection_filter would normally be used in conjunction with an event_filter to reduce the number of logged events." Joel On Wed, Oct 27, 2010 at 11:13 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Hello. I have always enjoyed the 'threshold' ability of snort but from what I read, it is going away and replaced by 'detection_filter'. My desire is to have 'threshold: type: limit' capability but the snort manual says detection_filter, "defines a rate which must be exceeded by a source or destination host before a rule can generate an event." So how can I use detection_filter to limit the number of times a rule alerts in a given time period? Thank you. L0rd C. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Joel Esler 302-223-5974
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)