Snort mailing list archives
Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Wed, 27 Oct 2010 16:39:38 -0500
Pardon my ignorance, but can you provide technical detail on how the inclusion of the filter statements in the separate file? Is it just another "include" statement in snort.conf, as with the rules files? On Wed, Oct 27, 2010 at 3:43 PM, Joel Esler <jesler () sourcefire com> wrote:
The way Snort was "supposed" to be designed was to have the thresholds in a different file (I believe). Is is the way we do it in our product as well. This keeps you from having to modify rules (and oinkmaster or pulledpork configurations thusly), and allows you to push one file out to one location, or multiple locations. I understand the feature in the rule is nice, and that's why it's still in there. (not because "I understand" it, but because it's a nice to have). Don't want people thinking I meant they kept the feature around for me. -- Sent from my iPad On Oct 27, 2010, at 3:55 PM, infosec posts <infosec.posts () gmail com> wrote:Are you saying that a new, separate file can be maintained that just contains the event_filter statements (and then included via snort.conf), or do I have to put separate event filters in each of my snort.conf files the way I am now? I preferred the method of modifying the threshold in the rule, since I could change it one place and it pushed across all my sensors. Now, if I want this functionality, I'm going to multiple snort.conf files and adding a statement to each. On Wed, Oct 27, 2010 at 12:15 PM, Joel Esler <jesler () sourcefire com> wrote:Thanks. All of that being said, you can still use threshold at this time. Its just time to start moving those things over to the new format. I suggest doing "thresholds" and suppressions in a separate file (not modifying the rule) anyway. Sent from my iPhone On Oct 27, 2010, at 1:13 PM, "Eric L. Howard" <ericlhoward () gmail com> wrote:On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Thanks. Is there any way to do it in the rule itself like back in the salad days?Nope. DEPRECATED ITEMS ================ * detection_filter replaces the existing in-rule threshold, which is now obsolete. Furthermore, the existing threshold when used within a rule was not part of the detection process; it was equivalent to a standalone threshold. To retain the functionality of existing in-rule thresholds, reformat them as standalone event_filters (see below). * event_filter replaces the existing standalone threshold, which is now deprecated. Furthermore, even though event_filter is an alias for threshold, which is allowed to appear in a rule (although that use is now also deprecated), event_filter will not be allowed in a rule. Such use will result in a fatal error during initialization. ~elh------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold L0rd Ch0de1m0rt (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)