Snort mailing list archives
RE: snort 2.0.2 - Rule Thresholding
From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 18 Sep 2003 18:59:59 -0400 (EDT)
From: "Marc Norton" <marc.norton () sourcefire com> To: snort-users () lists sourceforge net Date: Thu, 18 Sep 2003 08:39:42 -0400 Subject: [Snort-users] snort 2.0.2 - Rule Thresholding The new thresholding feature supports both rule specific thresholding and global thresholding to quiet all of the rules down. Using global thresholding requires you to use a sig_id value of -1 in the 'threshold' command instead of a specific rule sig_id . I am posting this tid bit because I don't think the global thresholding made it into the documentation.
It didn't. :-)
The rule specific thresholding and rule suppression is documented in the 'doc/README.thresholding' file.
Looks AWESOME! I can already see some great uses for this. I have some questions and thoughts: Do supression commands referencing "an IP address via a CIDR block" support the [192.168.1.0/24,10.10.10.0/16] list/grouping syntax? Do they support varables? Would these kind of dumb examples work? suppress gen_id 1, sig_id 521, track by_dst, ip [10.1.1.0/24,10.2.2.1] suppress gen_id 1, sig_id 521, track by_dst, ip $DNS_SERVERS ~~~~~~~ I assume the "best" ways to implement these features are: 1) Disable the original rule, copy to local.rules and modify. 2) include $RULE_PATH/local.limits Perhaps the docs could be updated and samples included? I'd think adding the include and a bit of docs to snort.conf, and taking the examples and some docs from README.thresholding to create local.limits would do the trick. ~~~~~~~ README.thresholding should explain where generator numbers come from and how to figure out the correct thing to use. I.e. snort-2.0.2/src/generators.h and the "1" in [1:234:5] in the logs... ~~~~~~~ FAQ 3.9 is going to need an overhaul! Goodby clunky BFP and pass rules (in some specific cases). I'd offer to do some samples, but I'm under a couple of deadline so I wouldn't be able to do it for a couple of weeks... Anyway, this stuff is going to be great, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.0.2 - Rule Thresholding Marc Norton (Sep 18)
- <Possible follow-ups>
- RE: snort 2.0.2 - Rule Thresholding JP Vossen (Sep 18)