Snort mailing list archives
Re: threshold.conf - event_filter dificulties.
From: Jean-Pierre Zurbrügg <jp.zurbrugg () live com>
Date: Tue, 14 Apr 2015 14:16:37 -0400
Hello Everyone, Thanks for the link(http://manual.snort.org/node19.html#SECTION00342000000000000000). In it I read that rule event_filters take precedence over global rules. I've been reviewing our setup and we have this example: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:14;) This rule doesn't have any event_filters and still triggers many events within a second. This is while having the following global event_filter:event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 15 The generated alerts come from the same src IP and go towards the same destination IP. Thanks in advance!
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- threshold.conf - event_filter dificulties. Jean-Pierre Zurbrügg (Apr 10)
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Message not available
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Message not available
- Re: threshold.conf - event_filter dificulties. James Lay (Apr 10)
- Re: threshold.conf - event_filter dificulties. Y M (Apr 10)
- Re: threshold.conf - event_filter dificulties. Jean-Pierre Zurbrügg (Apr 14)