Snort mailing list archives
Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Thu, 28 Oct 2010 08:19:31 -0500
I did some testing, and this rule works as expected: alert tcp 10.10.10.96 any -> 172.16.4.8 3389 (msg:"IDS Testing Rule - Disregard"; classtype:not-suspicious; threshold: type limit, track by_src, count 1, seconds 120; sid:9999999; rev:1;) ...which gives me one alert every two minutes for the duration of an active RDP session. However, when I do this: alert tcp $HOME_NET any -> [172.16.4.0/24,172.16.5.0/24] any (msg:"IDS Testing Rule - Disregard"; classtype:not-suspicious; threshold: type limit, track by_src, count 1, seconds 120; sid:9999999; rev:2;) I get one alert every 120 seconds *per TCP session*, so I get a pile of alerts all at once for: 10.10.10.96 -> 172.16.4.8:3389 (at 10/28-07:55:05.413999) 10.10.10.80 -> 172.16.5.50:1434 (at 10/28-07:55:05.709468) 10.10.10.159 -> 172.16.4.159:22 (at 10/28-07:55:14.114907) {etc.] I won't get alerts on those particular conversations again for another 120 seconds, but I still get alerts for each unique source/destination stream. Previously, the threshold would throttle down to what was specified, which was 1 alert every two minutes, regardless if I matched every packet that crossed the sensor, with multiple unique sources and destinations. It looks like in-rule thresholding is applying to each stream that matches the rule now, instead of squelching the rule itself (if that makes sense). I suppose this won't be addressed, though, since in-rule thresholding is deprecated now... On Wed, Oct 27, 2010 at 10:06 PM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 27, 2010, at 9:44 PM, infosec posts wrote:Here's my, "...and another thing!" email. I would still be using threshold in-rule, and not event_filter at all right now, but the old rules I had with thresholds in them just...didn't threshold when I moved to snort 2.8.6. I had a couple of custom rules in particular which generate a lot of alerts, so I had them thresholded down quite a bit, and they got super noisy again when I rolled out 2.8.6, with no changes to the rule. It seemed that I *had* to use event_filter on them to retain the functionality that I needed. It seems that you're saying in-rule threshold is "deprecated but still supported", but that wasn't my experience. Maybe it was just me (snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the same thing?I'd be interested as well. It still works, as it's still in the code. J
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Using detection_filter instead of threshold, (continued)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 28)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)