Snort mailing list archives

Re: Using detection_filter instead of threshold

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 17:48:22 -0400

The include is there by default. Look for threshold.conf.

--
Sent from my iPad

On Oct 27, 2010, at 5:39 PM, infosec posts <infosec.posts () gmail com> wrote:

Pardon my ignorance, but can you provide technical detail on how the
inclusion of the filter statements in the separate file?  Is it just
another "include" statement in snort.conf, as with the rules files?

On Wed, Oct 27, 2010 at 3:43 PM, Joel Esler <jesler () sourcefire com> wrote:

The way Snort was "supposed" to be designed was to have the thresholds
in a different file (I believe). Is is the way we do it in our product
as well. This keeps you from having to modify rules (and oinkmaster or
pulledpork configurations thusly), and allows you to push one file out
to one location, or multiple locations.

I understand the feature in the rule is nice, and that's why it's
still in there. (not because "I understand" it, but because it's a
nice to have).

Don't want people thinking I meant they kept the feature around for me.

--
Sent from my iPad

On Oct 27, 2010, at 3:55 PM, infosec posts <infosec.posts () gmail com> wrote:

Are you saying that a new, separate file can be maintained that just
contains the event_filter statements (and then included via
snort.conf), or do I have to put separate event filters in each of my
snort.conf files the way I am now?

I preferred the method of modifying the threshold in the rule, since I
could change it one place and it pushed across all my sensors.  Now,
if I want this functionality, I'm going to multiple snort.conf files
and adding a statement to each.



On Wed, Oct 27, 2010 at 12:15 PM, Joel Esler <jesler () sourcefire com> wrote:

Thanks.

All of that being said, you can still use threshold at this time.  Its just time to start moving those things over 
to the new format. I suggest doing "thresholds" and suppressions in a separate file (not modifying the rule) 
anyway.


Sent from my iPhone

On Oct 27, 2010, at 1:13 PM, "Eric L. Howard" <ericlhoward () gmail com> wrote:

On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:

Thanks.  Is there any way to do it in the rule itself like back in the
salad days?


Nope.

DEPRECATED ITEMS
================

* detection_filter replaces the existing in-rule threshold, which is now
 obsolete.  Furthermore, the existing threshold when used within a rule was
 not part of the detection process; it was equivalent to a standalone
 threshold.  To retain the functionality of existing in-rule thresholds,
 reformat them as standalone event_filters (see below).

* event_filter replaces the existing standalone threshold, which is now
 deprecated.  Furthermore, even though event_filter is an alias for threshold,
 which is allowed to appear in a rule (although that use is now also
 deprecated), event_filter will not be allowed in a rule.  Such use will
 result in a fatal error during initialization.

~elh


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
  - Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
    - Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Message not available
    - Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
    - Message not available
    - Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
    - Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Re: Using detection_filter instead of threshold infosec posts (Oct 27)
    - Re: Using detection_filter instead of threshold Joel Esler (Oct 27)

(Thread continues...)