Re: Using detection_filter instead of threshold

[infosec posts <infosec.posts () gmail com>]

I did some testing, and this rule works as expected:

alert tcp 10.10.10.96 any -> 172.16.4.8 3389 (msg:"IDS Testing Rule -
Disregard"; classtype:not-suspicious; threshold: type limit, track
by_src, count 1, seconds 120; sid:9999999; rev:1;)

...which gives me one alert every two minutes for the duration of an
active RDP session.

However, when I do this:
alert tcp $HOME_NET any -> [172.16.4.0/24,172.16.5.0/24] any (msg:"IDS
Testing Rule - Disregard"; classtype:not-suspicious; threshold: type
limit, track by_src, count 1, seconds 120; sid:9999999; rev:2;)

I get one alert every 120 seconds *per TCP session*, so I get a pile
of alerts all at once for:
10.10.10.96 -> 172.16.4.8:3389  (at 10/28-07:55:05.413999)
10.10.10.80 -> 172.16.5.50:1434 (at 10/28-07:55:05.709468)
10.10.10.159 -> 172.16.4.159:22 (at 10/28-07:55:14.114907)
{etc.]

I won't get alerts on those particular conversations again for another
120 seconds, but I still get alerts for each unique source/destination
stream.  Previously, the threshold would throttle down to what was
specified, which was 1 alert every two minutes, regardless if I
matched every packet that crossed the sensor, with multiple unique
sources and destinations.  It looks like in-rule thresholding is
applying to each stream that matches the rule now, instead of
squelching the rule itself (if that makes sense).

I suppose this won't be addressed, though, since in-rule thresholding
is deprecated now...



On Wed, Oct 27, 2010 at 10:06 PM, Joel Esler <jesler () sourcefire com> wrote:
> On Oct 27, 2010, at 9:44 PM, infosec posts wrote:
> > Here's my, "...and another thing!" email.  I would still be using
> > threshold in-rule, and not event_filter at all right now, but the old
> > rules I had with thresholds in them just...didn't threshold when I
> > moved to snort 2.8.6.  I had a couple of custom rules in particular
> > which generate a lot of alerts, so I had them thresholded down quite a
> > bit, and they got super noisy again when I rolled out 2.8.6, with no
> > changes to the rule.  It seemed that I *had* to use event_filter on
> > them to retain the functionality that I needed.
> >
> > It seems that you're saying in-rule threshold is "deprecated but still
> > supported", but that wasn't my experience.  Maybe it was just me
> > (snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the
> > same thing?
>
> I'd be interested as well.  It still works, as it's still in the code.
>
> J

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs