Re: help with time in rules

[waldo kitty <wkitty42 () windstream net>]

On 11/6/2012 04:01, Jose A. wrote:
> Hello!
>
> I have a question when i want to develop a rule in snort.
>
> It is possible to specify the time and the number of events in the rule?
>
> For example, create an alarm when the same event occurs within two minutes 10 times.


yes, that's the threshold keyword... however, threshold has been deprecated and 
there are other keywords to use... the new keywords are

     detection_filter: track <by_src|by_dst>, count <c>, seconds <s>;

     event_filter gen_id <gid>, sig_id <sid>, type <limit|threshold|both>, track 
<by_src|by_dst>, count <c>, seconds <s>

detection_filter is the one for use in the rule itself... event_filter is for 
use in the threshold file (if i'm reading the documentation properly)...


one reason why threshold in the rule was deprecated was because there are/were 
two meanings for it... there is also a threshold file that can be used to limit 
rules and those two meanings were easily confused... however, the last time i 
checked, you could not threshold (the file) a rule that already used threshold 
in the rule... being able to do this would be a GoodThing<tm> in some cases, 
though...


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!