Snort mailing list archives
Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Wed, 27 Oct 2010 20:21:16 -0500
It hasn't been forced yet, but this pretty clearly says that it is going to be forced in short order, unless I'm completely misreading it: * event_filter replaces the existing standalone threshold, which is now deprecated. Furthermore, even though event_filter is an alias for threshold, which is allowed to appear in a rule (although that use is now also deprecated), event_filter will not be allowed in a rule. **Such use will result in a fatal error during initialization.** **Emphasis mine There's no point in saying, "it's not broken yet" if you've already said, "it's going to be broken soon." On Wed, Oct 27, 2010 at 8:17 PM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 27, 2010, at 9:06 PM, infosec posts wrote:I guess I can understand the purpose and intent behind event_filter, but I'm not clear on "why" for the forced removal of in-rule thresholds. It doesn't seem reasonable to me to force people into new features/configurations just because they're there, and then say, "write a patch to fix it yourself" in response to constructive criticism. I'm not a software dev, though; just a guy who now has some extra work to do on his rulesets because of this decision.We haven't forced anyone to remove it. That's where the confusion in this thread is. The misunderstanding *I think* is that it's still there, and you can still use it. It's just not the preferred way of doing it. We've created some new keywords, because the new keywords allow us to have additional functionality. While we currently don't have the removal of in-rule threshold "limit" slated for a release (as far as I know), it is depreciated. We still use it in over 500 of our own rules. J
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Using detection_filter instead of threshold, (continued)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 28)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)