Snort mailing list archives
Re: threshold -- is it really deprecated?
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 20 Jan 2012 15:04:56 -0500
On Fri, Jan 20, 2012 at 1:45 PM, Joshua Kinard <kumba () gentoo org> wrote:
So, regarding the recent thread about the threshold keyword, I have to ask if threshold is really deprecated. As far as I can recall, it's been marked as such in the Snort manual since Snort-2.8.5. The suggested replacement is detection_filter, but I don't feel that detection_filter actually replaces threshold's capabilities.
Yes - threshold is really deprecated, by VRT request. When they get the rules updated, it will go. No - detection filter is not the suggested replacement. event_filter replaces threshold.
detection_Filter basically says "ignore alerts from a matching rule X times in Y seconds, THEN report every alert thereafter." threshold gives you the ability to say "Report an alert no more than X times in Y seconds, THEN ignore everything thereafter." As far as I can tell, they complement each other, one being the inverse of the other, not one replacing the functionality of the other (as the manual states). Both happen in the post-detection phase, too. Not sure what you mean by "post-detection", but that is not how I think of
it. The rule won't fire until the detection_filter constraints are met, so I consider that part of detection. event_filter, which is not a rule option and which must be specified
independently of the rule to be thresholded, largely shares the same code as threshold, so I can see why one is preferred over the other (removal of duplicated code). Does event_filter work its magic in post-detection, too? event_filter is strictly post-detection, if I understand your term.
I would say threshold should not be deprecated, but retained for use within rules where a per-rule threshold is needed. event_filter I suppose has uses, too, but having the threshold in the rule keeps it right there for someone else reviewing the rule to see, rather than having to look elsewhere (in the file or in other files) to see if the rule is being filtered by an external event_filter declaration. Thoughts? threshold was syntactically part of the rule but never implemented as
such. It was always what event_filter is now; there is no loss of functionality. It sounds like what is lost is the ability to import event_filters along with rules, which is a tool chain issue, not a Snort issue. Eoin, event_filters sit between detection and logging, and an equally strong case (IMHO) can be made for more closely associating event_filters with logging (user preference) than for associating with rules (community expertise). And rate_filters are in the same boat. Maybe VRT can offer more insight re tools and plans.
-- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
- Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)