Re: Question About Threshholds

[Alex Kirk <akirk () sourcefire com>]

First of all, the "threshold" keyword is deprecated in favor of
"detection_filter".

That said, detection_filter depends on whether you're running the rule as
an "alert" or "drop" rule. In both cases, you won't actually get an event
until you reach the threshold specified by the keyword; if it's a drop sig,
it won't begin to drop until that point in time, either - but will continue
dropping packets until the timeout on the keyword is reached. For example,
"detection_filter:track by_src, count 10, seconds 30" would just be
incrementing an internal counter until the 10th matching packet, which
would then be dropped; if that occurred at, say, 5 seconds after the 1st
matching packet, any packets matching the rule for the next 25 seconds
would be dropped and would generate an event. At second 30.00000001, the
counter is reset and you start from scratch.

You may also want to look at event_filter (
http://manual.snort.org/node19.html#event_filtering), which only impacts
the number of events generated. That's probably closer to what you want,
given that you were using "limit" from the "threshold" keyword. Note,
however, that event_filters are specified outside of the rule itself, in
your snort.conf.


On Wed, Mar 20, 2013 at 11:40 AM, Miso Patel <miso.patel () gmail com> wrote:

> I apologize for a simple question but I was hoping for some clarity on a
> situation from my engineers.
>
> If a Snort signature is threshold (using the "limit" option), does this
> just limit alerts and does the dropping of this traffic if this rule is
> written to drop and the Snort is in "IPS mode" still happen even if the
> threshold is causing not all alerts to be generated?
>
> I think it does  but the Snort manual does not make this clear or I am not
> reading the right pages.
>
> Thanks.
>
> -Miso, CISO
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!