Snort mailing list archives

threshold -- is it really deprecated?

From: Joshua Kinard <kumba () gentoo org>
Date: Fri, 20 Jan 2012 13:45:09 -0500


So, regarding the recent thread about the threshold keyword, I have to ask
if threshold is really deprecated.  As far as I can recall, it's been marked
as such in the Snort manual since Snort-2.8.5.  The suggested replacement is
detection_filter, but I don't feel that detection_filter actually replaces
threshold's capabilities.

detection_Filter basically says "ignore alerts from a matching rule X times
in Y seconds, THEN report every alert thereafter."

threshold gives you the ability to say "Report an alert no more than X times
in Y seconds, THEN ignore everything thereafter."

As far as I can tell, they complement each other, one being the inverse of
the other, not one replacing the functionality of the other (as the manual
states).  Both happen in the post-detection phase, too.

event_filter, which is not a rule option and which must be specified
independently of the rule to be thresholded, largely shares the same code as
threshold, so I can see why one is preferred over the other (removal of
duplicated code).  Does event_filter work its magic in post-detection, too?

I would say threshold should not be deprecated, but retained for use within
rules where a per-rule threshold is needed.  event_filter I suppose has
uses, too, but having the threshold in the rule keeps it right there for
someone else reviewing the rule to see, rather than having to look elsewhere
(in the file or in other files) to see if the rule is being filtered by an
external event_filter declaration.

Thoughts?

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
  - Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
  - Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
    - Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
    - Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
    - Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
    - Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
    - Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
    - Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
    - Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)

(Thread continues...)