Home page logo

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Wed, 27 Oct 2010 20:44:59 -0500

Here's my, "...and another thing!" email.  I would still be using
threshold in-rule, and not event_filter at all right now, but the old
rules I had with thresholds in them just...didn't threshold when I
moved to snort 2.8.6.  I had a couple of custom rules in particular
which generate a lot of alerts, so I had them thresholded down quite a
bit, and they got super noisy again when I rolled out 2.8.6, with no
changes to the rule.  It seemed that I *had* to use event_filter on
them to retain the functionality that I needed.

It seems that you're saying in-rule threshold is "deprecated but still
supported", but that wasn't my experience.  Maybe it was just me
(snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the
same thing?

On Wed, Oct 27, 2010 at 8:21 PM, infosec posts <infosec.posts () gmail com> wrote:
It hasn't been forced yet, but this pretty clearly says that it is
going to be forced in short order, unless I'm completely misreading

* event_filter replaces the existing standalone threshold, which is now
 deprecated.  Furthermore, even though event_filter is an alias for threshold,
 which is allowed to appear in a rule (although that use is now also
 deprecated), event_filter will not be allowed in a rule.  **Such use will
 result in a fatal error during initialization.**

**Emphasis mine

There's no point in saying, "it's not broken yet" if you've already
said, "it's going to be broken soon."

On Wed, Oct 27, 2010 at 8:17 PM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 27, 2010, at 9:06 PM, infosec posts wrote:
I guess I can understand the purpose and intent behind event_filter,
but I'm not clear on "why" for the forced removal of in-rule
thresholds.  It doesn't seem reasonable to me to force people into new
features/configurations just because they're there, and then say,
"write a patch to fix it yourself" in response to constructive
criticism.  I'm not a software dev, though; just a guy who now has
some extra work to do on his rulesets because of this decision.

We haven't forced anyone to remove it.  That's where the confusion in this thread is.  The misunderstanding *I 
think* is that it's still there, and you can still use it.  It's just not the preferred way of doing it.

We've created some new keywords, because the new keywords allow us to have additional functionality.  While we 
currently don't have the removal of in-rule threshold "limit" slated for a release (as far as I know), it is 
depreciated.  We still use it in over 500 of our own rules.


Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]