Re: Local Rule Import Error - threshold (in rule) is deprecated; use detection_filter instead. in rule

[Sergio Fenech <sergiofenech () live com>]

Guys please can you get me out of this email chain??

On 09/05/2017, 00:26, "Joel Esler (jesler)" <jesler () cisco com> wrote:

    Well, first, this rule isn’t an official rule, this is an Emerging Threats rule.  We don’t use any threshold 
keywords in the official ruleset (that comes on your firepower device).  We use detection_filter.
    
    I am not sure why ET hasn’t switched to detection_filter.  They certainly should.
    
    
    
    
    --
    Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>
    
    
    
    
    
    
    On May 8, 2017, at 6:15 PM, Full Name <subaru279 () excite com<mailto:subaru279 () excite com>> wrote:
    
    Greetings, I'm having issues performing local rule imports on my FirePOWER devices. It doesn't seem to like the 
threshold filter and recommends me to use the detection_filter instead (See error below). Am I doing something wrong or 
is there a way to bypass or allow rule imports with the threshold filter?
    
    Local Rule Import Error: "threshold (in rule) is deprecated; use detection_filter instead. in rule"
    
    Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Discover Phishing 
Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; 
content:"discover.com<http://discover.com>"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; 
content:!"discover.com<http://discover.com>|0d 0a|"; http_header; content:!"autodiscover"; http_header; 
pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; 
classtype:trojan-activity; sid:2023819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, 
deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_02_02, updated_at 2017_02_02;)
    
    From the research it seem Threshold filters are no longer supported. If so why is it still being utilized? Thanks
    http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html
    
    Regards,
    Mike
    
    ------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    
    Please visit http://blog.snort.org to stay current on all the latest Snort news!
    
    ------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    
    Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!