Snort mailing list archives
Re: threshold.conf - event_filter dificulties.
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 10 Apr 2015 16:56:53 -0600
On Fri, 2015-04-10 at 08:54 -0400, Jean-Pierre Zurbrügg wrote:
Hello everyone, Current setup: Ubuntu 12.04.5 LTS 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Snort Version 2.9.7.2 GRE (Build 177) Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Compile options: ./configure --enable-sourcefire make sudo make install pulledpork was used to update rules, config: rule_url=https://www.snort.org/reg-rules/| snortrules-snapshot.tar.gz|<oink code> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oink code> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz| open ignore=deleted.rules,experimental.rules,local.rules temp_path=/tmp rule_path=/etc/snort/rules/snort.rules local_rules=/etc/snort/rules/local.rules sid_msg=/etc/snort/sid-msg.map sid_msg_version=2 sid_changelog=/var/log/sid_changes.log sorule_path=/usr/local/lib/snort_dynamicrules/ snort_path=/usr/local/bin/snort config_path=/etc/snort/snort.conf distro=Ubuntu-10-4 black_list=/etc/snort/rules/iplists/default.blacklist IPRVersion=/etc/snort/rules/iplists snort_control=/usr/local/bin/snort_control enablesid=/etc/snort/enablesid.conf dropsid=/etc/snort/dropsid.conf disablesid=/etc/snort/disablesid.conf modifysid=/etc/snort/modifysid.conf version=0.7.0 We are trying to setup a global event_filter in hopes of controlling the amount of duplicated events that get fired from the same src\dst per second. We see a bunch of alerts being fired multiple times whithin the same timestamp. Steps taken: edit /etc/snort/threshold.conf: -------add line: event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 15 **** We have also tried track by dst and also tried individual event_filter by rule gen\sig. **** We have also tried using the deprecated 'threshold command' edit /etc/snort/snort.conf ------ verify that we have this line added: include threshold.conf Run snort with following command: snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 Confirm we see the following lines in the output: Apr 9 09:22:15 nth-garbage snort[398]: +-----------------------[event-filter-global]---------------------------------- Apr 9 09:22:15 nth-garbage snort[398]: | gen-id=global sig-id=global type=Limit tracking=src count=1 seconds=15 Apr 9 09:22:15 nth-garbage snort[398]: +-----------------------[event-filter-local]----------------------------------- ******************************* VERY LONG LIST OF EVENT-FILTER RULES HERE ************************** We don't know what we are doing wrong. Events of the same rule get fired multiple times within the same second. Examples: gen 1 \ sig 2014473 --- ET INFO JAVA - Java Archive Download By Vulnerable Client gen 1 \ sig 21646 ---EXPLOIT-KIT Blackhole exploit kit landing page with specific structure[...] Which event_filter takes priority, a Global or a local event filter? Any tips would be greatly appreciated! Thanks in advance. ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Need to have the gen and sig match like so: event_filter gen_id 1, sig_id 2014473, type limit, track by_src, count 1, seconds 15 event_filter gen_id 1, sig_id 21646, type limit, track by_src, count 1, seconds 15 James
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold.conf - event_filter dificulties. Jean-Pierre Zurbrügg (Apr 10)
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Message not available
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Message not available
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Re: threshold.conf - event_filter dificulties. Y M (Apr 10)
- Re: threshold.conf - event_filter dificulties. Jean-Pierre Zurbrügg (Apr 14)