Snort mailing list archives
Re: threshold -- is it really deprecated?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Sat, 21 Jan 2012 00:00:33 +0000
On 1/20/2012 8:04 PM, Russ Combs wrote:
Eoin, event_filters sit between detection and logging, and an equally strong case (IMHO) can be made for more closely associating event_filters with logging (user preference) than for associating with rules (community expertise). And rate_filters are in the same boat. Maybe VRT can offer more insight re tools and plans.
If the replacement for threshold includes detection_filter (which is still accessible from within the rules) then it still gives the rule writers the ability to override user preference with community expertise. However detection_filter only works one way in so that it allows the rule writer to only alert after 100 matches occur rather than alert 1 time and suppress all other alerts that occur for an hour. This leaves me really confused if detection_filter is still left inside of Snort and is not removed the same time as threshold. If both are removed and replaced with event_filters and rate_filters only and those can only accessed only from within the conf files, it leaves users with more management overhead that will also require rule management tools to now handle CONF files in addition to the rules. I get the idea that the person running the IDS box knows the network better than the rule writer in the community. However, there is nothing stopping them from using rule rewrite functionality in pulledpork to manage this stuff as it is currently. Or, just disable the rule in pulledpork, put a copy in local.rules and tweak it to their organizations need and run that. Instead, everyone is going to be forced into redoing the same work at the per-organization level instead of use all the work that was already done at the community level. -- Eoin ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
- Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)