Re: Using detection_filter instead of threshold

[infosec posts <infosec.posts () gmail com>]

Are you saying that a new, separate file can be maintained that just
contains the event_filter statements (and then included via
snort.conf), or do I have to put separate event filters in each of my
snort.conf files the way I am now?

I preferred the method of modifying the threshold in the rule, since I
could change it one place and it pushed across all my sensors.  Now,
if I want this functionality, I'm going to multiple snort.conf files
and adding a statement to each.



On Wed, Oct 27, 2010 at 12:15 PM, Joel Esler <jesler () sourcefire com> wrote:
> Thanks.
>
> All of that being said, you can still use threshold at this time.  Its just time to start moving those things over to 
> the new format. I suggest doing "thresholds" and suppressions in a separate file (not modifying the rule) anyway.
>
>
> Sent from my iPhone
>
> On Oct 27, 2010, at 1:13 PM, "Eric L. Howard" <ericlhoward () gmail com> wrote:
>
> > On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt
> > <l0rdch0de1m0rt () gmail com> wrote:
> > > Thanks.  Is there any way to do it in the rule itself like back in the
> > > salad days?
> >
> > Nope.
> >
> > DEPRECATED ITEMS
> > ================
> >
> > * detection_filter replaces the existing in-rule threshold, which is now
> >  obsolete.  Furthermore, the existing threshold when used within a rule was
> >  not part of the detection process; it was equivalent to a standalone
> >  threshold.  To retain the functionality of existing in-rule thresholds,
> >  reformat them as standalone event_filters (see below).
> >
> > * event_filter replaces the existing standalone threshold, which is now
> >  deprecated.  Furthermore, even though event_filter is an alias for threshold,
> >  which is allowed to appear in a rule (although that use is now also
> >  deprecated), event_filter will not be allowed in a rule.  Such use will
> >  result in a fatal error during initialization.
> >
> > ~elh
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs