Re: (no subject)

[Paul O'Brien via Snort-users <snort-users () lists snort org>]

Yes, ok, my bad. I just got done looking at the rule in my snort rules file and understand what you are saying now. So, 
how do you change the threshold specs from within the rule itself?  Each night I download the rules, my changes will be 
overwritten no?

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPhone

> On Oct 2, 2017, at 11:55 AM, Russ <rucombs () cisco com> wrote:
>
> A quick search turns up this rule which already has a threshold.  Note that in-rule thresholds are deprecated and 
> equivalent to stand-alone event_filters and that you can have at most one.
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY iTunes User Agent"; flow:established,to_server; 
> content:"iTunes"; nocase; http_user_agent; depth:6; threshold: type limit, count 1,seconds 360, track by_src; 
> reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; 
> classtype:policy-violation; sid:2002878; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
>
> > On 10/2/17 11:21 AM, Paul O'Brien wrote:
> > The line in question is the only line I have added to threshold.conf pertaining to that sig id 
> >
> > Thanks,
> > Dan
> >
> > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> >
> > Sent from my iPhone
> >
> > > > On Oct 2, 2017, at 11:16 AM, Russ <rucombs () cisco com> wrote:
> > > >
> > > > That is saying there is already another one for that rule.  Is there another event_filter for that rule in your 
> > > > conf?  Or does that rule have an in-rule threshold?  That also counts.
> > > >
> > > > > On 10/2/17 10:35 AM, Paul O'Brien wrote:
> > > > > Could not create threshold - only one per sig_id=2002878.
> > > > >
> > > > > I only have one rule, the one in question, for sig Id 2002878.
> > > > >
> > > > > Thanks,
> > > > > Dan
> > > > >
> > > > > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> > > > >
> > > > > Sent from my iPhone
> > > > >
> > > > > > On Oct 2, 2017, at 9:15 AM, Russ <rucombs () cisco com> wrote:
> > > > > >
> > > > > > That looks OK.  Please send the error you are seeing.
> > > > > >
> > > > > > On 9/30/17 6:13 PM, Paul O'Brien via Snort-users wrote:
> > > > > > Why is this causing an error and keeping snort from starting?  I want to suppress all errors under a 2 count per 
> > > > > > minute per ip
> > > > > >
> > > > > > event_filter gen_id 1, sig_id 2002878, type both, track by_src, count 2, seconds 60
> > > > > >
> > > > > > Thanks,
> > > > > > Dan
> > > > > >
> > > > > >
> > > > > > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> > > > > >
> > > > > > Sent from my iPhone
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists snort org
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.snort.org/mailman/listinfo/snort-users
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!