Home page logo

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: "Eric L. Howard" <ericlhoward () gmail com>
Date: Wed, 27 Oct 2010 13:13:19 -0400

On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:
Thanks.  Is there any way to do it in the rule itself like back in the
salad days?



* detection_filter replaces the existing in-rule threshold, which is now
  obsolete.  Furthermore, the existing threshold when used within a rule was
  not part of the detection process; it was equivalent to a standalone
  threshold.  To retain the functionality of existing in-rule thresholds,
  reformat them as standalone event_filters (see below).

* event_filter replaces the existing standalone threshold, which is now
  deprecated.  Furthermore, even though event_filter is an alias for threshold,
  which is allowed to appear in a rule (although that use is now also
  deprecated), event_filter will not be allowed in a rule.  Such use will
  result in a fatal error during initialization.


Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]