Snort mailing list archives
Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Wed, 27 Oct 2010 14:55:27 -0500
Are you saying that a new, separate file can be maintained that just contains the event_filter statements (and then included via snort.conf), or do I have to put separate event filters in each of my snort.conf files the way I am now? I preferred the method of modifying the threshold in the rule, since I could change it one place and it pushed across all my sensors. Now, if I want this functionality, I'm going to multiple snort.conf files and adding a statement to each. On Wed, Oct 27, 2010 at 12:15 PM, Joel Esler <jesler () sourcefire com> wrote:
Thanks. All of that being said, you can still use threshold at this time. Its just time to start moving those things over to the new format. I suggest doing "thresholds" and suppressions in a separate file (not modifying the rule) anyway. Sent from my iPhone On Oct 27, 2010, at 1:13 PM, "Eric L. Howard" <ericlhoward () gmail com> wrote:On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Thanks. Is there any way to do it in the rule itself like back in the salad days?Nope. DEPRECATED ITEMS ================ * detection_filter replaces the existing in-rule threshold, which is now obsolete. Furthermore, the existing threshold when used within a rule was not part of the detection process; it was equivalent to a standalone threshold. To retain the functionality of existing in-rule thresholds, reformat them as standalone event_filters (see below). * event_filter replaces the existing standalone threshold, which is now deprecated. Furthermore, even though event_filter is an alias for threshold, which is allowed to appear in a rule (although that use is now also deprecated), event_filter will not be allowed in a rule. Such use will result in a fatal error during initialization. ~elh------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)