[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Flowbits and threshold
From: Dheeraj Gupta <dheeraj.gupta4 () gmail ! com>
Date: 2011-09-14 16:14:25
Message-ID: CAOsL98MUig9kE9v-xUi1HPkQLEg0U7nHizFGgDUQvMhKdPpQSA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Thanks for clearing that up. So if I need a rule to fire only when a
previous rule (based on threshold) generates an alert, I will need to keep
the thresholds of both the alerts in sync. Right? Or is there any other (and
simpler) way?
Regards,
Dheeraj
On Wed, Sep 14, 2011 at 1:37 PM, Jason Wallace <jason.r.wallace@gmail.com>wrote:
> I believe threshold/suppression only affects the alerting mechanism.
> For example, if you have a rule that sets a threshold of one alert in
> 60 seconds and that rule is set to drop, I believe any packet that
> matches the rule will be dropped, regardless of the threshold. This is
> probably the same for setting a flowbit.
>
> On Wed, Sep 14, 2011 at 1:03 AM, Dheeraj Gupta <dheeraj.gupta4@gmail.com>
> wrote:
> > Hi,
> > I was wondering how are flowbits interpreted in a rule that has threshold
> > keywords.
> > Suppose I have a rule that checks if my proxy has just denied a request
> to
> > user-
> > alert tcp any 8080 -> any any (msg:"Proxy Denies";
> > content:"ERR_CACHE_ACCESS_DENIED"; http_header; threshold:type
> > threshold,track by_dst, count 60, seconds 60;
> > flowbits:set,proxy.deny;flowbits: noalert; sid:1000010; rev:1;)
> > Since I want to log the packet that shows what URL the user was trying to
> > access, I write the following rule to log one packet only for a denied
> > request exceeding threshold-
> > alert tcp any 8080 -> any any (msg:"Proxy Access
> > Denied";flowbits:isset,proxy.deny; content:"While trying to retrieve the
> > URL:",nocase; flowbits:unset,proxy.deny; threshold: type threshold,track
> > by_dst, count 60, seconds 60;sid:1000011; rev:1;)
> >
> > Is the flowbit set when the first packet with ERR_CACHE_ACCESS_DENIED is
> > seen or when the threshold is passed?
> > Also if I do not put the threshold limit in second rule and allow first
> rule
> > to also generate alerts, I get about 60 alerts from second rule for each
> > alert of first rule. Since I unset the flowbit after the second rule
> fires,
> > shouldn't the second rule quieten down till the next time threshold is
> > breached?
> > I can't use tag because the background script (that processes these
> alerts
> > expects only one packet per alert and also since docs say that tag
> doesn't
> > work great with database output plugin.
> >
> > Regards,
> > Dheeraj
> >
> >
> >
> ------------------------------------------------------------------------------
> > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> > Learn about the latest advances in developing for the
> > BlackBerry® mobile platform with sessions, labs & more.
> > See new tools and technologies. Register for BlackBerry® DevCon
> today!
> > http://p.sf.net/sfu/rim-devcon-copy1
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
--
To iterate is human.To recurse, divine!
--
To iterate is human.To recurse, divine!
[Attachment #5 (text/html)]
<br><br><div class="gmail_quote">Hi,<br>Thanks for clearing that up. So if I need a \
rule to fire only when a previous rule (based on threshold) generates an alert, I \
will need to keep the thresholds of both the alerts in sync. Right? Or is there any \
other (and simpler) way?<br>
<br>Regards,<br>Dheeraj<div><div></div><div class="h5"><br><div \
class="gmail_quote">On Wed, Sep 14, 2011 at 1:37 PM, Jason Wallace <span \
dir="ltr"><<a href="mailto:jason.r.wallace@gmail.com" \
target="_blank">jason.r.wallace@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, \
204, 204); padding-left: 1ex;"> <div>I believe threshold/suppression only affects the \
alerting mechanism.<br> For example, if you have a rule that sets a threshold of one \
alert in<br> 60 seconds and that rule is set to drop, I believe any packet that<br>
matches the rule will be dropped, regardless of the threshold. This is<br>
probably the same for setting a flowbit.<br>
<br>
On Wed, Sep 14, 2011 at 1:03 AM, Dheeraj Gupta <<a \
href="mailto:dheeraj.gupta4@gmail.com" \
target="_blank">dheeraj.gupta4@gmail.com</a>> wrote:<br> \
</div><div><div></div><div>> Hi,<br> > I was wondering how are flowbits \
interpreted in a rule that has threshold<br> > keywords.<br>
> Suppose I have a rule that checks if my proxy has just denied a request to<br>
> user-<br>
> alert tcp any 8080 -> any any (msg:"Proxy Denies";<br>
> content:"ERR_CACHE_ACCESS_DENIED"; http_header; threshold:type<br>
> threshold,track by_dst, count 60, seconds 60;<br>
> flowbits:set,proxy.deny;flowbits: noalert; sid:1000010; rev:1;)<br>
> Since I want to log the packet that shows what URL the user was trying to<br>
> access, I write the following rule to log one packet only for a denied<br>
> request exceeding threshold-<br>
> alert tcp any 8080 -> any any (msg:"Proxy Access<br>
> Denied";flowbits:isset,proxy.deny; content:"While trying to retrieve \
the<br> > URL:",nocase; flowbits:unset,proxy.deny; threshold: type \
threshold,track<br> > by_dst, count 60, seconds 60;sid:1000011; rev:1;)<br>
><br>
> Is the flowbit set when the first packet with ERR_CACHE_ACCESS_DENIED is<br>
> seen or when the threshold is passed?<br>
> Also if I do not put the threshold limit in second rule and allow first rule<br>
> to also generate alerts, I get about 60 alerts from second rule for each<br>
> alert of first rule. Since I unset the flowbit after the second rule fires,<br>
> shouldn't the second rule quieten down till the next time threshold is<br>
> breached?<br>
> I can't use tag because the background script (that processes these \
alerts<br> > expects only one packet per alert and also since docs say that tag \
doesn't<br> > work great with database output plugin.<br>
><br>
> Regards,<br>
> Dheeraj<br>
><br>
><br>
</div></div><div><div></div><div>> \
------------------------------------------------------------------------------<br> \
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA<br> > \
Learn about the latest advances in developing for the<br> > BlackBerry&reg; \
mobile platform with sessions, labs & more.<br> > See new tools and \
technologies. Register for BlackBerry&reg; DevCon today!<br> > <a \
href="http://p.sf.net/sfu/rim-devcon-copy1" \
target="_blank">http://p.sf.net/sfu/rim-devcon-copy1</a><br> > \
_______________________________________________<br> > Snort-sigs mailing list<br>
> <a href="mailto:Snort-sigs@lists.sourceforge.net" \
target="_blank">Snort-sigs@lists.sourceforge.net</a><br> > <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> > \
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> ><br>
><br>
> Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> \
><br> </div></div></blockquote></div><br><br clear="all"><br></div></div><font \
color="#888888">-- <br>To iterate is human.To recurse, divine!<br> \
</font></div><br><br clear="all"><br>-- <br>To iterate is human.To recurse, \
divine!<br>
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic