Home page logo

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: infosec posts <infosec.posts () gmail com>
Date: Thu, 28 Oct 2010 08:19:31 -0500

I did some testing, and this rule works as expected:

alert tcp any -> 3389 (msg:"IDS Testing Rule -
Disregard"; classtype:not-suspicious; threshold: type limit, track
by_src, count 1, seconds 120; sid:9999999; rev:1;)

...which gives me one alert every two minutes for the duration of an
active RDP session.

However, when I do this:
alert tcp $HOME_NET any -> [,] any (msg:"IDS
Testing Rule - Disregard"; classtype:not-suspicious; threshold: type
limit, track by_src, count 1, seconds 120; sid:9999999; rev:2;)

I get one alert every 120 seconds *per TCP session*, so I get a pile
of alerts all at once for: ->  (at 10/28-07:55:05.413999) -> (at 10/28-07:55:05.709468) -> (at 10/28-07:55:14.114907)

I won't get alerts on those particular conversations again for another
120 seconds, but I still get alerts for each unique source/destination
stream.  Previously, the threshold would throttle down to what was
specified, which was 1 alert every two minutes, regardless if I
matched every packet that crossed the sensor, with multiple unique
sources and destinations.  It looks like in-rule thresholding is
applying to each stream that matches the rule now, instead of
squelching the rule itself (if that makes sense).

I suppose this won't be addressed, though, since in-rule thresholding
is deprecated now...

On Wed, Oct 27, 2010 at 10:06 PM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 27, 2010, at 9:44 PM, infosec posts wrote:
Here's my, "...and another thing!" email.  I would still be using
threshold in-rule, and not event_filter at all right now, but the old
rules I had with thresholds in them just...didn't threshold when I
moved to snort 2.8.6.  I had a couple of custom rules in particular
which generate a lot of alerts, so I had them thresholded down quite a
bit, and they got super noisy again when I rolled out 2.8.6, with no
changes to the rule.  It seemed that I *had* to use event_filter on
them to retain the functionality that I needed.

It seems that you're saying in-rule threshold is "deprecated but still
supported", but that wasn't my experience.  Maybe it was just me
(snort 2.8.6 on RHEL 5), but I wonder if others on the list saw the
same thing?

I'd be interested as well.  It still works, as it's still in the code.


Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]