Snort mailing list archives
Re: Using detection_filter instead of threshold
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 23:06:00 -0400
On Oct 27, 2010, at 9:44 PM, infosec posts wrote:
Here's my, "...and another thing!" email. I would still be using threshold in-rule, and not event_filter at all right now, but the old rules I had with thresholds in them just...didn't threshold when I moved to snort 2.8.6. I had a couple of custom rules in particular which generate a lot of alerts, so I had them thresholded down quite a bit, and they got super noisy again when I rolled out 2.8.6, with no changes to the rule. It seemed that I *had* to use event_filter on them to retain the functionality that I needed. It seems that you're saying in-rule threshold is "deprecated but still supported", but that wasn't my experience. Maybe it was just me (snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the same thing?
I'd be interested as well. It still works, as it's still in the code. J ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Using detection_filter instead of threshold, (continued)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Eric L. Howard (Oct 27)
- Message not available
- Re: Using detection_filter instead of threshold Matthew Jonkman (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 27)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 27)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Joel Esler (Oct 28)
- Re: Using detection_filter instead of threshold infosec posts (Oct 28)
- Re: Using detection_filter instead of threshold Jason Brvenik (Oct 27)