Re: Using detection_filter instead of threshold

[Joel Esler <jesler () sourcefire com>]

On Oct 27, 2010, at 9:44 PM, infosec posts wrote:
> Here's my, "...and another thing!" email.  I would still be using
> threshold in-rule, and not event_filter at all right now, but the old
> rules I had with thresholds in them just...didn't threshold when I
> moved to snort 2.8.6.  I had a couple of custom rules in particular
> which generate a lot of alerts, so I had them thresholded down quite a
> bit, and they got super noisy again when I rolled out 2.8.6, with no
> changes to the rule.  It seemed that I *had* to use event_filter on
> them to retain the functionality that I needed.
>
> It seems that you're saying in-rule threshold is "deprecated but still
> supported", but that wasn't my experience.  Maybe it was just me
> (snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the
> same thing?

I'd be interested as well.  It still works, as it's still in the code.

J


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs