Re: How to threshold ALL sigs

[waldo kitty <wkitty42 () windstream net>]

On 5/28/2014 3:48 PM, Jefferson, Shawn wrote:
> Yes, but that doesn't work for a SRC<->DEST type suppression.  You can only
> make Snort blind to ALL things from that IP.  You need to use BPF to do a
> SRC<->DEST suppression (basically not sending that traffic to snort at all.)

no ya don't ;)  you've forgotten about "detection_filter" which is what the old 
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP 
Brute-Force login attempt (1) -- BLOCKED DESTINATION"; 
flow:from_server,established; dsize:<100; content:"530 "; depth:4; 
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; 
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!