Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: threshold deprecation and event_filter

From: Steven Sturges <ssturges () sourcefire com>
Date: Wed, 11 Jan 2012 12:14:55 -0500
Hi Eoin--

The main issue stems from the fact that using threshold within rules
wasn't working the way the rule writers were thinking it did.  Hence
the distinction now between the two different types of filters.  To
spell it out so everyone has the context:

-- detection_filter
    This is part of evaluating a rule and the rate therein is required
    for the rule to match and the action taken (alert, drop, etc).

-- event_filter
    This is done after the rule matches and the rule action action is
    taken.  It is basically suppressing output.

When we did this, we went with the philosophy that the guts of the rule
should be limited to how the rule is detecting things -- not how to
handle the output.

If output suppression is included in a rule, a rule writer can
effectively dictate to a user how and when alerts for that rule is
output.  That isn't the best for everyone, especially those who don't
write their own rules.

We also wanted to make sure that existing rules were updated to use the
correct keywords and eliminate the situation of rules that weren't
operating as expected.  There should have been warnings provided at
Snort's initialization that the in-rule threshold keyword was going to
be deprecated since the split.

In the end, this gives an overall better solution with the combination
of the Snort updates, correctly operating rules, and customizable
output suppression.

-steve

On 1/10/12 6:12 PM, Eoin Miller wrote:


So if thresholds are deprecated and the replacements for them have been
split into two different things (detection_filter and event_filter),
this may cause a bit of a headache for rule writing and management. Why
can't you use event_filter within a rule?

As a feature request:
Couldn't Snort read the rules and parse the ones containing event_filter
statements and build a threshold.conf file on the fly from these rules?

This would allow rule writers to continue have the functionality of the
deprecated threshold/new event_filter event processing functionality
without requiring supplemental updates to a threshold.conf file that is
not currently managed/updated by rule management software.

-- Eoin


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: