Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 23 Jan 2012 16:05:39 -0500
On 01/23/2012 11:18, Joel Esler wrote:
Just let everyone know what we've done as a result of this conversation. We've put in a couple of bugs to track this/these issue/issues and we're going to evaluate what we can do to satisfy the requirements/opinions stated here. I'll follow up with this thread when we make progress.
One thing I would like to propose after reading Patrick's explanation is that if threshold, type 'threshold', mimics detection_filter (although my reading of the current manual indicates they're not a 10% match-up), then that should be removed and only threshold, type 'limit', retained for in-rule use, probably by axing the 'type' argument completely. I would then recommend that the manual be updated to clarify the precise operation of detection_filter versus threshold, because this is an important distinction for performance reasons. Leave event_filter and rate_limits to provide some kind of global or group-matching capabilities, such as by specific SID, a SID wildcard mask or range, or possibly a classtype grouping. An individual threshold/detection_filter keyword inside a rule would override the more global definition in event_filter/rate_limits and provide a top-down, granular approach to managing both aspects of actual alerting/dropping OR the event output suppression. -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Snort-users] threshold -- is it really deprecated?, (continued)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Feb 05)
- Re: [Snort-users] threshold -- is it really deprecated? Rich Graves (Jan 25)