Snort mailing list archives

Re: How to threshold ALL sigs

From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Thu, 29 May 2014 13:58:25 +0000

________________________________
From: Russ Combs (rucombs) [rucombs () cisco com]
Sent: Thursday, May 29, 2014 8:03 AM
To: Joel Esler (jesler); waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to threshold ALL sigs

________________________________
From: Joel Esler (jesler)
Sent: Thursday, May 29, 2014 8:44 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to threshold ALL sigs

On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:

no ya don't ;)  you've forgotten about "detection_filter" which is what the old
in-rule thresholding is now called...

eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
Brute-Force login attempt (1) -- BLOCKED DESTINATION";
flow:from_server,established; dsize:<100; content:"530 "; depth:4;
pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;)

kinda.  detection_filter doesn’t limit the number of alerts like threshold did.  That’s still threshold.

* threshold is deprecated:

-- use detection_filter in a rule to prevent it from generating events until the limit is reached

-- use event_filter outside a rule to limit the number of events logged

See README.filters for details.

Works like a charm.  Thanks all!
_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to threshold ALL sigs Turnbough, Bradley E. (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- <Possible follow-ups>
- Re: How to threshold ALL sigs Nicholas Mavis (nmavis) (May 28)
  - Re: How to threshold ALL sigs Jeremy Hoel (May 28)
  - Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
    - Re: How to threshold ALL sigs waldo kitty (May 28)
    - Re: How to threshold ALL sigs Joel Esler (jesler) (May 29)
    - Re: How to threshold ALL sigs Russ Combs (rucombs) (May 29)
    - Re: How to threshold ALL sigs Turnbough, Bradley E. (May 29)