Snort mailing list archives
Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 9 May 2017 11:10:43 +0000
You can unsubscribe by following the directions at the bottom of every email. -- Sent from my iPhone
On May 9, 2017, at 03:24, Sergio Fenech <sergiofenech () live com> wrote: Guys please can you get me out of this email chain?? On 09/05/2017, 00:26, "Joel Esler (jesler)" <jesler () cisco com> wrote: Well, first, this rule isn’t an official rule, this is an Emerging Threats rule. We don’t use any threshold keywords in the official ruleset (that comes on your firepower device). We use detection_filter. I am not sure why ET hasn’t switched to detection_filter. They certainly should. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On May 8, 2017, at 6:15 PM, Full Name <subaru279 () excite com<mailto:subaru279 () excite com>> wrote: Greetings, I'm having issues performing local rule imports on my FirePOWER devices. It doesn't seem to like the threshold filter and recommends me to use the detection_filter instead (See error below). Am I doing something wrong or is there a way to bypass or allow rule imports with the threshold filter? Local Rule Import Error: "threshold (in rule) is deprecated; use detection_filter instead. in rule" Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com<http://discover.com>"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com<http://discover.com>|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;) From the research it seem Threshold filters are no longer supported. If so why is it still being utilized? Thanks http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html Regards, Mike ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Full Name (May 08)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 08)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Sergio Fenech (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Sergio Fenech (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 08)