Re: How to threshold ALL sigs

["Russ Combs (rucombs)" <rucombs () cisco com>]

________________________________
From: Joel Esler (jesler)
Sent: Thursday, May 29, 2014 8:44 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to threshold ALL sigs

On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:

no ya don't ;)  you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

kinda.  detection_filter doesn’t limit the number of alerts like threshold did.  That’s still threshold.

* threshold is deprecated:

-- use detection_filter in a rule to prevent it from generating events until the limit is reached

-- use event_filter outside a rule to limit the number of events logged

See README.filters for details.


------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!