Snort mailing list archives

Re: How to threshold ALL sigs

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 28 May 2014 13:48:55 -0600

Yes, but that doesn't work for a SRC<->DEST type suppression.  You can only make Snort blind to ALL things from that 
IP.  You need to use BPF to do a SRC<->DEST suppression (basically not sending that traffic to snort at all.)

-----Original Message-----
From: Nicholas Mavis (nmavis) [mailto:nmavis () cisco com] 
Sent: May 28, 2014 12:29 PM
To: Jefferson, Shawn; Turnbough, Bradley E.; snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to threshold ALL sigs

Bradley,

Snort does have global thresholding. Please refer to Event Filtering in the following link:

http://manual.snort.org/node19.html#SECTION00342000000000000000

Using gen_id 0, sig_id 0 is used to specify a global threshold applying to all rules.

Nick

On 5/28/14, 3:23 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
wrote:

The best thing to do, if you aren't interested in Snort alerting on 
this traffic is to use a BPF to not pass it to Snort in the first 
place.  If you can't do that, or don't want to, then perhaps a custom 
pass rule? (or rather probably two, one for each direction.)

-----Original Message-----
From: Turnbough, Bradley E. [mailto:bturnbough () belcan com]
Sent: May 28, 2014 11:49 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] How to threshold ALL sigs

Hi All,

Is there a way to threshold ALL sig alerts, but doing so based upon 
source IP and dest ip (session aware)?

Before thresholding:

sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------> 
destipA  ---- Alert A #2 10:29:26 sourceipA ------> destipA  ---- Alert 
A
#3 10:29:39 sourceipB ------> destipA  ---- Alert A #4 10:29:42 
sourceipB
------> destipA  ---- Alert A #5 10:29:55 sourceipB ------> destipA  
------> ----
Alert A #6 10:30:12

After thresholding:

sourceipA ------> destipA  ---- Alert A #1 10:29:15 sourceipA ------> 
destipA  ---- Alert A #2 10:29:26 ------ not logged (thresholded) 
sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged
(thresholded) sourceipB ------> destipA  ---- Alert A #4 10:29:42 
sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged
(thresholded) sourceipB ------> destipA  ---- Alert A #6 10:30:12------ 
not logged (thresholded)

I want to basically write one rule / threshold for this.  I don't want 
to maintain a huge library of thresholds.  Any ideas?

Thanks,

Brad
_____________________________________________________________ This 
e-mail transmission contains information that is confidential and may 
be privileged. It is intended only for the addressee(s) named above. If 
you receive this e-mail in error, please do not read, copy or 
disseminate it in any manner. If you are not the intended recipient, 
any disclosure, copying, distribution or use of the contents of this 
information is prohibited. Please reply to the message immediately by 
informing the sender that the message was misdirected. After replying, 
please erase it from your computer system. Your assistance in 
correcting this error is appreciated.

-----------------------------------------------------------------------
---
----
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!

-----------------------------------------------------------------------
---
----
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!



------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to threshold ALL sigs Turnbough, Bradley E. (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- <Possible follow-ups>
- Re: How to threshold ALL sigs Nicholas Mavis (nmavis) (May 28)
  - Re: How to threshold ALL sigs Jeremy Hoel (May 28)
  - Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
    - Re: How to threshold ALL sigs waldo kitty (May 28)
    - Re: How to threshold ALL sigs Joel Esler (jesler) (May 29)
    - Re: How to threshold ALL sigs Russ Combs (rucombs) (May 29)
    - Re: How to threshold ALL sigs Turnbough, Bradley E. (May 29)