Snort mailing list archives
Re: threshold deprecation and event_filter
From: Steven Sturges <ssturges () sourcefire com>
Date: Wed, 11 Jan 2012 12:14:55 -0500
Hi Eoin-- The main issue stems from the fact that using threshold within rules wasn't working the way the rule writers were thinking it did. Hence the distinction now between the two different types of filters. To spell it out so everyone has the context: -- detection_filter This is part of evaluating a rule and the rate therein is required for the rule to match and the action taken (alert, drop, etc). -- event_filter This is done after the rule matches and the rule action action is taken. It is basically suppressing output. When we did this, we went with the philosophy that the guts of the rule should be limited to how the rule is detecting things -- not how to handle the output. If output suppression is included in a rule, a rule writer can effectively dictate to a user how and when alerts for that rule is output. That isn't the best for everyone, especially those who don't write their own rules. We also wanted to make sure that existing rules were updated to use the correct keywords and eliminate the situation of rules that weren't operating as expected. There should have been warnings provided at Snort's initialization that the in-rule threshold keyword was going to be deprecated since the split. In the end, this gives an overall better solution with the combination of the Snort updates, correctly operating rules, and customizable output suppression. -steve On 1/10/12 6:12 PM, Eoin Miller wrote:
So if thresholds are deprecated and the replacements for them have been split into two different things (detection_filter and event_filter), this may cause a bit of a headache for rule writing and management. Why can't you use event_filter within a rule? As a feature request: Couldn't Snort read the rules and parse the ones containing event_filter statements and build a threshold.conf file on the fly from these rules? This would allow rule writers to continue have the functionality of the deprecated threshold/new event_filter event processing functionality without requiring supplemental updates to a threshold.conf file that is not currently managed/updated by rule management software. -- Eoin
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold deprecation and event_filter Eoin Miller (Jan 10)
- Message not available
- Re: threshold deprecation and event_filter Steven Sturges (Jan 11)
- Re: threshold deprecation and event_filter Eoin Miller (Jan 11)
- Re: threshold deprecation and event_filter Martin Holste (Jan 13)
- Re: threshold deprecation and event_filter Steven Sturges (Jan 11)
- Message not available