Snort mailing list archives
Re: How to threshold ALL sigs
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 28 May 2014 13:48:55 -0600
Yes, but that doesn't work for a SRC<->DEST type suppression. You can only make Snort blind to ALL things from that IP. You need to use BPF to do a SRC<->DEST suppression (basically not sending that traffic to snort at all.) -----Original Message----- From: Nicholas Mavis (nmavis) [mailto:nmavis () cisco com] Sent: May 28, 2014 12:29 PM To: Jefferson, Shawn; Turnbough, Bradley E.; snort-users () lists sourceforge net Subject: Re: [Snort-users] How to threshold ALL sigs Bradley, Snort does have global thresholding. Please refer to Event Filtering in the following link: http://manual.snort.org/node19.html#SECTION00342000000000000000 Using gen_id 0, sig_id 0 is used to specify a global threshold applying to all rules. Nick On 5/28/14, 3:23 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:
The best thing to do, if you aren't interested in Snort alerting on this traffic is to use a BPF to not pass it to Snort in the first place. If you can't do that, or don't want to, then perhaps a custom pass rule? (or rather probably two, one for each direction.) -----Original Message----- From: Turnbough, Bradley E. [mailto:bturnbough () belcan com] Sent: May 28, 2014 11:49 AM To: snort-users () lists sourceforge net Subject: [Snort-users] How to threshold ALL sigs Hi All, Is there a way to threshold ALL sig alerts, but doing so based upon source IP and dest ip (session aware)? Before thresholding: sourceipA ------> destipA ---- Alert A #1 10:29:15 sourceipA ------> destipA ---- Alert A #2 10:29:26 sourceipA ------> destipA ---- Alert A #3 10:29:39 sourceipB ------> destipA ---- Alert A #4 10:29:42 sourceipB ------> destipA ---- Alert A #5 10:29:55 sourceipB ------> destipA ------> ---- Alert A #6 10:30:12 After thresholding: sourceipA ------> destipA ---- Alert A #1 10:29:15 sourceipA ------> destipA ---- Alert A #2 10:29:26 ------ not logged (thresholded) sourceipA ------> destipA ---- Alert A #3 10:29:39 ------ not logged (thresholded) sourceipB ------> destipA ---- Alert A #4 10:29:42 sourceipB ------> destipA ---- Alert A #5 10:29:55 ------ not logged (thresholded) sourceipB ------> destipA ---- Alert A #6 10:30:12------ not logged (thresholded) I want to basically write one rule / threshold for this. I don't want to maintain a huge library of thresholds. Any ideas? Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ----------------------------------------------------------------------- --- ---- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ----------------------------------------------------------------------- --- ---- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to threshold ALL sigs Turnbough, Bradley E. (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- <Possible follow-ups>
- Re: How to threshold ALL sigs Nicholas Mavis (nmavis) (May 28)
- Re: How to threshold ALL sigs Jeremy Hoel (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- Re: How to threshold ALL sigs Joel Esler (jesler) (May 29)
- Re: How to threshold ALL sigs Russ Combs (rucombs) (May 29)
- Re: How to threshold ALL sigs Turnbough, Bradley E. (May 29)