Snort mailing list archives
Re: How to threshold ALL sigs
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 29 May 2014 13:03:20 +0000
________________________________ From: Joel Esler (jesler) Sent: Thursday, May 29, 2014 8:44 AM To: waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to threshold ALL sigs On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: no ya don't ;) you've forgotten about "detection_filter" which is what the old in-rule thresholding is now called... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) kinda. detection_filter doesn’t limit the number of alerts like threshold did. That’s still threshold. * threshold is deprecated: -- use detection_filter in a rule to prevent it from generating events until the limit is reached -- use event_filter outside a rule to limit the number of events logged See README.filters for details.
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to threshold ALL sigs Turnbough, Bradley E. (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- <Possible follow-ups>
- Re: How to threshold ALL sigs Nicholas Mavis (nmavis) (May 28)
- Re: How to threshold ALL sigs Jeremy Hoel (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- Re: How to threshold ALL sigs Joel Esler (jesler) (May 29)
- Re: How to threshold ALL sigs Russ Combs (rucombs) (May 29)
- Re: How to threshold ALL sigs Turnbough, Bradley E. (May 29)