Snort mailing list archives
Re: Event_filters don't work with in-rule threshold filters.
From: wkitty42 () windstream net
Date: Mon, 25 Apr 2016 12:39:57 -0400
On 04/25/2016 11:30 AM, fatema bannatwala wrote:
Hi, I am a new snort user, and started looking at some alerts. I wanted to customize the rules threshold by defining stand-alone event_filter in threshold.config file for specific gid and sid. I realized that after doing that, snort doesn't start and when I disable those event_filters in threshold.config , snort will start normally. After looking into the original rule in .rules files pulled by pulledpork, I noticed that the rules that I was trying to write event_filter for, have in-rule threshold command limiting the logged alerts. When I read the documentation, it doesn't say anything about "you can't specify event_filters for the rules that already have "threshold command" defined inside the rules". And I think that's the problem and that's why snort fails to start when I try to define stand-alone event filters for the rules having threshold defined inside the rules.
very likely this is the problem... what does snort put in the log?
So I wanted to ask that what's the correct way to limit some rules alerts that already have threshold defined in them? (I have many rules for which I would really like to define event_filters to limit the logged alerts, but am not able to do that).
the current method is to either modify those rules in place using existing tools that make use of the modifysid method OR by disabling them in the original rules file, copying them to your local.rules file and modifying them as needed... don't forget to change the SID and revision number...
I apologize if this is already been discussed in some other thread (any pointer to the same would be appreciated). Thanks in advance.
i remember it was discussed in some list (one of the snort ones or the emerging threats one) several years ago... i am/was on the side of being able to threshold already thresholded rules... these days, though, i don't desire it as much as i used to... i can easily filter out those alerts that are noisy and in the way when i'm looking at other things... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Event_filters don't work with in-rule threshold filters. fatema bannatwala (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. wkitty42 (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. fatema bannatwala (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. Y M (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. wkitty42 (Apr 25)
- Re: Event_filters don't work with in-rule threshold filters. Y M (Apr 25)