Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort 2.0.2 - Rule Thresholding

From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 18 Sep 2003 18:59:59 -0400 (EDT)
From: "Marc Norton" <marc.norton () sourcefire com>
To: snort-users () lists sourceforge net
Date: Thu, 18 Sep 2003 08:39:42 -0400
Subject: [Snort-users] snort 2.0.2 - Rule Thresholding

The new thresholding feature  supports both rule specific thresholding
and global thresholding to quiet all of the rules down.  Using global
thresholding requires you to use a sig_id value of -1 in the 'threshold'
command instead of a specific rule sig_id .  I am posting this tid bit
because I don't think the global thresholding made it into the
documentation.


It didn't. :-)


The rule specific thresholding and rule suppression is
documented in the 'doc/README.thresholding' file.


Looks AWESOME!  I can already see some great uses for this.


I have some questions and thoughts:

Do supression commands referencing "an IP address via a CIDR block" support
the [192.168.1.0/24,10.10.10.0/16] list/grouping syntax?  Do they support
varables?  Would these kind of dumb examples work?

suppress gen_id 1, sig_id 521, track by_dst, ip [10.1.1.0/24,10.2.2.1]
suppress gen_id 1, sig_id 521, track by_dst, ip $DNS_SERVERS


~~~~~~~
I assume the "best" ways to implement these features are:
1) Disable the original rule, copy to local.rules and modify.
2) include $RULE_PATH/local.limits

Perhaps the docs could be updated and samples included?  I'd think adding the
include and a bit of docs to snort.conf, and taking the examples and some docs
from README.thresholding to create local.limits would do the trick.


~~~~~~~
README.thresholding should explain where generator numbers come from and how
to figure out the correct thing to use.  I.e. snort-2.0.2/src/generators.h and
the "1" in [1:234:5] in the logs...


~~~~~~~
FAQ 3.9 is going to need an overhaul!  Goodby clunky BFP and pass rules (in
some specific cases).


I'd offer to do some samples, but I'm under a couple of deadline so I wouldn't
be able to do it for a couple of weeks...

Anyway, this stuff is going to be great,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: