Home page logo

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 13:15:29 -0400


All of that being said, you can still use threshold at this time.  Its just time to start moving those things over to 
the new format. I suggest doing "thresholds" and suppressions in a separate file (not modifying the rule) anyway. 

Sent from my iPhone

On Oct 27, 2010, at 1:13 PM, "Eric L. Howard" <ericlhoward () gmail com> wrote:

On Wed, Oct 27, 2010 at 12:47 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:
Thanks.  Is there any way to do it in the rule itself like back in the
salad days?



* detection_filter replaces the existing in-rule threshold, which is now
 obsolete.  Furthermore, the existing threshold when used within a rule was
 not part of the detection process; it was equivalent to a standalone
 threshold.  To retain the functionality of existing in-rule thresholds,
 reformat them as standalone event_filters (see below).

* event_filter replaces the existing standalone threshold, which is now
 deprecated.  Furthermore, even though event_filter is an alias for threshold,
 which is allowed to appear in a rule (although that use is now also
 deprecated), event_filter will not be allowed in a rule.  Such use will
 result in a fatal error during initialization.


Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]