Snort mailing list archives

Event_filters don't work with in-rule threshold filters.

From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Mon, 25 Apr 2016 11:30:50 -0400

Hi,

I am a new snort user, and started looking at some alerts. I wanted to
customize the rules threshold by defining stand-alone event_filter in
threshold.config file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable
those event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork,
I noticed that the rules that I was trying to write event_filter for, have
in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't
specify event_filters for the rules that already have "threshold command"
defined inside the rules".
And I think that's the problem and that's why snort fails to start when I
try to define stand-alone event filters for the rules having threshold
defined inside the rules.

So I wanted to ask that what's the correct way to limit some rules alerts
that already have threshold defined in them? (I have many rules for which I
would really like to define event_filters to limit the logged alerts, but
am not able to do that).

I apologize if this is already been discussed in some other thread (any
pointer to the same would be appreciated).
Thanks in advance.

Thanks,
Fatema.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Event_filters don't work with in-rule threshold filters. fatema bannatwala (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. wkitty42 (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. fatema bannatwala (Apr 25)
  - Re: Event_filters don't work with in-rule threshold filters. Y M (Apr 25)
    - Re: Event_filters don't work with in-rule threshold filters. wkitty42 (Apr 25)