Re: Event_filters don't work with in-rule threshold filters.

[Y M <snort () outlook com>]

Or you can use the modifysid.conf to completely remove the event_filter or modify its value per-rule to the desired 
value.

YM

________________________________
From: fatema bannatwala <fatema.bannatwala () gmail com>
Sent: Monday, April 25, 2016 5:43 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Event_filters don't work with in-rule threshold filters.

Thanks WKitty42 for the quick response.
For some reason, I didn't get the reply in my inbox, was surfing the internet and got to read there.

I don't see any error logging in the snort log file, I think I have to enable the debugging mode for the same.

We are running snort in production, and daily the updated list of the ruled get pulled by pulledpork, so even if I 
comment the rules out in the original .rules file, it will get updated with the un-commented version next morning .

I think I will go with the option of disabling the sid using disablesid.conf file and then editing the original rule in 
local.rules file with new sids.
Thank you for the suggestion, but I feel that if we can't define stand-alone event_filters for the rules we want (just 
because rules already have threshold defined in them), it forfeits the whole purpose of introducing the stand-alone 
event_filter feature :( (Yes, it can be useful as global filters, but not for fine-grained control over specific rules)

Thanks!

Fatema.

On Mon, Apr 25, 2016 at 11:30 AM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail 
com>> wrote:
Hi,

I am a new snort user, and started looking at some alerts. I wanted to customize the rules threshold by defining 
stand-alone event_filter in threshold.config file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable those event_filters in threshold.config , 
snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork, I noticed that the rules that I was trying 
to write event_filter for, have in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't specify event_filters for the rules that 
already have "threshold command" defined inside the rules".
And I think that's the problem and that's why snort fails to start when I try to define stand-alone event filters for 
the rules having threshold defined inside the rules.

So I wanted to ask that what's the correct way to limit some rules alerts that already have threshold defined in them? 
(I have many rules for which I would really like to define event_filters to limit the logged alerts, but am not able to 
do that).

I apologize if this is already been discussed in some other thread (any pointer to the same would be appreciated).
Thanks in advance.

Thanks,
Fatema.


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!