Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Event_filters don't work with in-rule threshold filters.

From: wkitty42 () windstream net
Date: Mon, 25 Apr 2016 12:39:57 -0400
On 04/25/2016 11:30 AM, fatema bannatwala wrote:

Hi,

I am a new snort user, and started looking at some alerts. I wanted to customize
the rules threshold by defining stand-alone event_filter in threshold.config
file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable those
event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork, I
noticed that the rules that I was trying to write event_filter for, have in-rule
threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't specify
event_filters for the rules that already have "threshold command" defined inside
the rules".
And I think that's the problem and that's why snort fails to start when I try to
define stand-alone event filters for the rules having threshold defined inside
the rules.


very likely this is the problem... what does snort put in the log?


So I wanted to ask that what's the correct way to limit some rules alerts that
already have threshold defined in them? (I have many rules for which I would
really like to define event_filters to limit the logged alerts, but am not able
to do that).


the current method is to either modify those rules in place using existing tools 
that make use of the modifysid method OR by disabling them in the original rules 
file, copying them to your local.rules file and modifying them as needed... 
don't forget to change the SID and revision number...


I apologize if this is already been discussed in some other thread (any pointer
to the same would be appreciated).
Thanks in advance.


i remember it was discussed in some list (one of the snort ones or the emerging 
threats one) several years ago... i am/was on the side of being able to 
threshold already thresholded rules... these days, though, i don't desire it as 
much as i used to... i can easily filter out those alerts that are noisy and in 
the way when i'm looking at other things...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: