Re: Flowbits and threshold

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,
Thanks for clearing that up. So if I need a rule to fire only when a
previous rule (based on threshold) generates an alert, I will need to keep
the thresholds of both the alerts in sync. Right? Or is there any other (and
simpler) way?

Regards,
Dheeraj

On Wed, Sep 14, 2011 at 1:37 PM, Jason Wallace <jason.r.wallace () gmail com>wrote:

> I believe threshold/suppression only affects the alerting mechanism.
> For example, if you have a rule that sets a threshold of one alert in
> 60 seconds and that rule is set to drop, I believe any packet that
> matches the rule will be dropped, regardless of the threshold. This is
> probably the same for setting a flowbit.
>
> On Wed, Sep 14, 2011 at 1:03 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
> wrote:
> > Hi,
> > I was wondering how are flowbits interpreted in a rule that has threshold
> > keywords.
> > Suppose I have a rule that checks if my proxy has just denied a request
> to
> > user-
> > alert tcp any 8080 -> any any (msg:"Proxy Denies";
> > content:"ERR_CACHE_ACCESS_DENIED"; http_header; threshold:type
> > threshold,track by_dst, count 60, seconds 60;
> > flowbits:set,proxy.deny;flowbits: noalert; sid:1000010; rev:1;)
> > Since I want to log the packet that shows what URL the user was trying to
> > access, I write the following rule to log one packet only for a denied
> > request exceeding threshold-
> > alert tcp any 8080 -> any any (msg:"Proxy Access
> > Denied";flowbits:isset,proxy.deny; content:"While trying to retrieve the
> > URL:",nocase; flowbits:unset,proxy.deny; threshold: type threshold,track
> > by_dst, count 60, seconds 60;sid:1000011; rev:1;)
> >
> > Is the flowbit set when the first packet with ERR_CACHE_ACCESS_DENIED is
> > seen or when the threshold is passed?
> > Also if I do not put the threshold limit in second rule and allow first
> rule
> > to also generate alerts, I get about 60 alerts from second rule for each
> > alert of first rule. Since I unset the flowbit after the second rule
> fires,
> > shouldn't the second rule quieten down till the next time threshold is
> > breached?
> > I can't use tag because the background script (that processes these
> alerts
> > expects only one packet per alert and also since docs say that tag
> doesn't
> > work great with database output plugin.
> >
> > Regards,
> > Dheeraj
> ------------------------------------------------------------------------------
> > BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> > Learn about the latest advances in developing for the
> > BlackBerry&reg; mobile platform with sessions, labs & more.
> > See new tools and technologies. Register for BlackBerry&reg; DevCon
> today!
> > http://p.sf.net/sfu/rim-devcon-copy1
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!



-- 
To iterate is human.To recurse, divine!



-- 
To iterate is human.To recurse, divine!

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!