Home page logo

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 21:17:26 -0400

On Oct 27, 2010, at 9:06 PM, infosec posts wrote:
I guess I can understand the purpose and intent behind event_filter,
but I'm not clear on "why" for the forced removal of in-rule
thresholds.  It doesn't seem reasonable to me to force people into new
features/configurations just because they're there, and then say,
"write a patch to fix it yourself" in response to constructive
criticism.  I'm not a software dev, though; just a guy who now has
some extra work to do on his rulesets because of this decision.

We haven't forced anyone to remove it.  That's where the confusion in this thread is.  The misunderstanding *I think* 
is that it's still there, and you can still use it.  It's just not the preferred way of doing it.

We've created some new keywords, because the new keywords allow us to have additional functionality.  While we 
currently don't have the removal of in-rule threshold "limit" slated for a release (as far as I know), it is 
depreciated.  We still use it in over 500 of our own rules.

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]