Snort mailing list archives
Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule
From: "Full Name" <subaru279 () excite com>
Date: Mon, 08 May 2017 18:15:16 -0400
Greetings, I'm having issues performing local rule imports on my FirePOWER devices. It doesn't seem to like the
threshold filter and recommends me to use the detection_filter instead (See error below). Am I doing something wrong or
is there a way to bypass or allow rule imports with the threshold filter?
Local Rule Import Error: "threshold (in rule) is deprecated; use detection_filter instead. in rule"
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain
Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header;
fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com|0d 0a|"; http_header;
content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type
limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:2; metadata:affected_product
Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at
2017_02_02, updated_at 2017_02_02;)
From the research it seem Threshold filters are no longer supported. If so why is it still being utilized? Thanks
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html Regards, Mike ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Full Name (May 08)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 08)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Sergio Fenech (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Sergio Fenech (May 09)
- Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule Joel Esler (jesler) (May 08)