Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Sun, 22 Jan 2012 18:28:06 -0500
On 1/21/12 10:16 PM, Patrick Mullen wrote:
Russ is also correct that it's rather a "tool chain" issue that we don't deliver an event_filter.conf that would possibly make this discussion not necessary. Change is scary, and the hassle of having to edit two files is not lost on me, but it really is the more flexible, more powerful, and less confusing way to do things. This is true if for no other reason than if you want to put an event_filter on a sid, you no longer need to search for that sid in your rules file. You just put it anywhere in event_filter.conf and be done with it. And now your local copy of the rule is not modified from the official version so if we update the rule's detection (or detection_filter) you don't need to worry about merging the new version of the rule with your updated logging filter. But in reality, it's actually even easier than this. Distributing an event_filter.conf has been put on a fairly low priority because snort supports global thresholds. Analyzing the rule set before we made this change, we found that the predominant "threshold: type limit" was to squelch malware alerts to once every minute or once every few minutes. By putting a global threshold within snort of one alert per minute per sid on a host on all rules achieves this goal.
Why not just allow both detection_filter/event_filter to be accessible from within a rule and if a user has specified a different detection_filter/event_filter in the conf file for that sid on that specific sensor it will override the setting in the rule. This way local settings take priority for users who want/need that and everyone else can still continue to leverage default settings provided to them instead of having to retune all these rules/added conf management overhead? -- Eoin ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
- Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)