Re: [Snort-users] threshold -- is it really deprecated?

[Jason Brvenik <jasonb () sourcefire com>]

Now that the thread has had expression time I'd like to add my $.02

I don't believe ANYTHING should be in the rule that is not DIRECTLY
detection related. All information that isn't detection related should
be external to the rule and modifiable without risking changing the
detection content.

This means that IMHO msg: class: metadata: threshold: etc should all
get externalized. The potential for human error and likelihood of edit
collision should be minimized, not maximized.

On Mon, Jan 23, 2012 at 11:18 AM, Joel Esler <jesler () sourcefire com> wrote:
> Just let everyone know what we've done as a result of this conversation.
>  We've put in a couple of bugs to track this/these issue/issues and we're
> going to evaluate what we can do to satisfy the requirements/opinions stated
> here.  I'll follow up with this thread when we make progress.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Mon, Jan 23, 2012 at 6:21 AM, <elof () sentor se> wrote:
> > On Sun, 22 Jan 2012, Eoin Miller wrote:
> > > On 1/21/12 10:16 PM, Patrick Mullen wrote:
> > > > Russ is also correct that it's rather a "tool chain" issue that we
> > > > don't deliver an event_filter.conf that would possibly make this
> > > > discussion not necessary.  Change is scary, and the hassle of having
> > > > to edit two files is not lost on me, but it really is the more
> > > > flexible, more powerful, and less confusing way to do things.  This is
> > > > true if for no other reason than if you want to put an event_filter on
> > > > a sid, you no longer need to search for that sid in your rules file.
> > > > You just put it anywhere in event_filter.conf and be done with it.
> > > > And now your local copy of the rule is not modified from the official
> > > > version so if we update the rule's detection (or detection_filter) you
> > > > don't need to worry about merging the new version of the rule with
> > > > your updated logging filter.
> > > >
> > > > But in reality, it's actually even easier than this.
> > > >
> > > > Distributing an event_filter.conf has been put on a fairly low
> > > > priority because snort supports global thresholds.  Analyzing the rule
> > > > set before we made this change, we found that the predominant
> > > > "threshold: type limit" was to squelch malware alerts to once every
> > > > minute or once every few minutes.  By putting a global threshold
> > > > within snort of one alert per minute per sid on a host on all rules
> > > > achieves this goal.
> > >
> > > Why not just allow both detection_filter/event_filter to be accessible
> > > from within a rule and if a user has specified a different
> > > detection_filter/event_filter in the conf file for that sid on that
> > > specific sensor it will override the setting in the rule. This way local
> > > settings take priority for users who want/need that and everyone else
> > > can still continue to leverage default settings provided to them instead
> > > of having to retune all these rules/added conf management overhead?
> > > -- Eoin
> >
> > I agree with Eoin
> >
> > Let snort have the possibility for rules writers to include an
> > event_filter within the rule.
> >
> > Most users use the rules without modifying them. The 'threshold:' defaults
> > set by the original rules creators have been fine for the majority of the
> > community for years.
> >
> > Please don't force all rules writers and sites like ET to have to attach
> > an event_filter.conf to their rules files, forcing all snort users to
> > handle this file.
> >
> > In my opinion, it is the users with specific or odd needs that should
> > be the ones to have to rewrite their management system, while the vast
> > majority who just use the rules as-is can continue to do so.
> >
> >
> > Apart from the possible hassle with management of rules, not having this
> > keyword present directly in the rule syntax might make it harder for the
> > user to understand how the original rule creator intended for it to work.
> >
> >
> > Also, I suspect that users with needs to set different event_filter values
> > than the defaults, have even more special needs than that.
> > They have probably already built a rules management system where they can
> > make changes to individual rules as they see fit, while still being able
> > to
> > sync/update from e.g. Sourceforge VRT and Emerging Threats.
> > Since these systems already exist, and they allow for changes in
> > individual rules, I see no need to force the detachment of the
> > event_filter part from the decapricated 'threshold:' option and put it in
> > a separate conf file.
> >
> > I prefer to make my changes to the rule itself and not having to put the
> > configuration in a separate file, just adding complexity to the system and
> > making everything less intuitive.
> >
> > /Elof
> >
> >
> > ------------------------------------------------------------------------------
> > Try before you buy = See our experts in action!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-dev2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
>
> --
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Regards,

Jason.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!