Snort mailing list archives
Re: How to threshold ALL sigs
From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Thu, 29 May 2014 13:58:25 +0000
________________________________ From: Russ Combs (rucombs) [rucombs () cisco com] Sent: Thursday, May 29, 2014 8:03 AM To: Joel Esler (jesler); waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to threshold ALL sigs ________________________________ From: Joel Esler (jesler) Sent: Thursday, May 29, 2014 8:44 AM To: waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to threshold ALL sigs On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: no ya don't ;) you've forgotten about "detection_filter" which is what the old in-rule thresholding is now called... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) kinda. detection_filter doesn’t limit the number of alerts like threshold did. That’s still threshold. * threshold is deprecated: -- use detection_filter in a rule to prevent it from generating events until the limit is reached -- use event_filter outside a rule to limit the number of events logged See README.filters for details. Works like a charm. Thanks all! _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to threshold ALL sigs Turnbough, Bradley E. (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- <Possible follow-ups>
- Re: How to threshold ALL sigs Nicholas Mavis (nmavis) (May 28)
- Re: How to threshold ALL sigs Jeremy Hoel (May 28)
- Re: How to threshold ALL sigs Jefferson, Shawn (May 28)
- Re: How to threshold ALL sigs waldo kitty (May 28)
- Re: How to threshold ALL sigs Joel Esler (jesler) (May 29)
- Re: How to threshold ALL sigs Russ Combs (rucombs) (May 29)
- Re: How to threshold ALL sigs Turnbough, Bradley E. (May 29)