Snort mailing list archives
threshold -- is it really deprecated?
From: Joshua Kinard <kumba () gentoo org>
Date: Fri, 20 Jan 2012 13:45:09 -0500
So, regarding the recent thread about the threshold keyword, I have to ask if threshold is really deprecated. As far as I can recall, it's been marked as such in the Snort manual since Snort-2.8.5. The suggested replacement is detection_filter, but I don't feel that detection_filter actually replaces threshold's capabilities. detection_Filter basically says "ignore alerts from a matching rule X times in Y seconds, THEN report every alert thereafter." threshold gives you the ability to say "Report an alert no more than X times in Y seconds, THEN ignore everything thereafter." As far as I can tell, they complement each other, one being the inverse of the other, not one replacing the functionality of the other (as the manual states). Both happen in the post-detection phase, too. event_filter, which is not a rule option and which must be specified independently of the rule to be thresholded, largely shares the same code as threshold, so I can see why one is preferred over the other (removal of duplicated code). Does event_filter work its magic in post-detection, too? I would say threshold should not be deprecated, but retained for use within rules where a per-rule threshold is needed. event_filter I suppose has uses, too, but having the threshold in the rule keeps it right there for someone else reviewing the rule to see, rather than having to look elsewhere (in the file or in other files) to see if the rule is being filtered by an external event_filter declaration. Thoughts? -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
- Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)