Snort mailing list archives
Re: Question About Threshholds
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 20 Mar 2013 17:36:08 -0400
First of all, the "threshold" keyword is deprecated in favor of "detection_filter". That said, detection_filter depends on whether you're running the rule as an "alert" or "drop" rule. In both cases, you won't actually get an event until you reach the threshold specified by the keyword; if it's a drop sig, it won't begin to drop until that point in time, either - but will continue dropping packets until the timeout on the keyword is reached. For example, "detection_filter:track by_src, count 10, seconds 30" would just be incrementing an internal counter until the 10th matching packet, which would then be dropped; if that occurred at, say, 5 seconds after the 1st matching packet, any packets matching the rule for the next 25 seconds would be dropped and would generate an event. At second 30.00000001, the counter is reset and you start from scratch. You may also want to look at event_filter ( http://manual.snort.org/node19.html#event_filtering), which only impacts the number of events generated. That's probably closer to what you want, given that you were using "limit" from the "threshold" keyword. Note, however, that event_filters are specified outside of the rule itself, in your snort.conf. On Wed, Mar 20, 2013 at 11:40 AM, Miso Patel <miso.patel () gmail com> wrote:
I apologize for a simple question but I was hoping for some clarity on a situation from my engineers. If a Snort signature is threshold (using the "limit" option), does this just limit alerts and does the dropping of this traffic if this rule is written to drop and the Snort is in "IPS mode" still happen even if the threshold is causing not all alerts to be generated? I think it does but the Snort manual does not make this clear or I am not reading the right pages. Thanks. -Miso, CISO ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question About Threshholds Miso Patel (Mar 20)
- Re: Question About Threshholds Alex Kirk (Mar 20)