'Re: [Snort-sigs] Question About Threshholds'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Question About Threshholds
From:       Alex Kirk <akirk () sourcefire ! com>
Date:       2013-03-20 21:36:08
Message-ID: CABed_ZcqLn=kjXBNYzKOBCPPNXX0Ez_MB9nY1FLw9SmyKhRDjQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


First of all, the "threshold" keyword is deprecated in favor of
"detection_filter".

That said, detection_filter depends on whether you're running the rule as
an "alert" or "drop" rule. In both cases, you won't actually get an event
until you reach the threshold specified by the keyword; if it's a drop sig,
it won't begin to drop until that point in time, either - but will continue
dropping packets until the timeout on the keyword is reached. For example,
"detection_filter:track by_src, count 10, seconds 30" would just be
incrementing an internal counter until the 10th matching packet, which
would then be dropped; if that occurred at, say, 5 seconds after the 1st
matching packet, any packets matching the rule for the next 25 seconds
would be dropped and would generate an event. At second 30.00000001, the
counter is reset and you start from scratch.

You may also want to look at event_filter (
http://manual.snort.org/node19.html#event_filtering), which only impacts
the number of events generated. That's probably closer to what you want,
given that you were using "limit" from the "threshold" keyword. Note,
however, that event_filters are specified outside of the rule itself, in
your snort.conf.


On Wed, Mar 20, 2013 at 11:40 AM, Miso Patel <miso.patel@gmail.com> wrote:

> I apologize for a simple question but I was hoping for some clarity on a
> situation from my engineers.
>
> If a Snort signature is threshold (using the "limit" option), does this
> just limit alerts and does the dropping of this traffic if this rule is
> written to drop and the Snort is in "IPS mode" still happen even if the
> threshold is causing not all alerts to be generated?
>
> I think it does  but the Snort manual does not make this clear or I am not
> reading the right pages.
>
> Thanks.
>
> -Miso, CISO
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk@sourcefire.com

[Attachment #5 (text/html)]

<div dir="ltr">First of all, the &quot;threshold&quot; keyword is deprecated in favor \
of &quot;detection_filter&quot;.<div><br></div><div style>That said, detection_filter \
depends on whether you&#39;re running the rule as an &quot;alert&quot; or \
&quot;drop&quot; rule. In both cases, you won&#39;t actually get an event until you \
reach the threshold specified by the keyword; if it&#39;s a drop sig, it won&#39;t \
begin to drop until that point in time, either - but will continue dropping packets \
until the timeout on the keyword is reached. For example, \
&quot;detection_filter:track by_src, count 10, seconds 30&quot; would just be \
incrementing an internal counter until the 10th matching packet, which would then be \
dropped; if that occurred at, say, 5 seconds after the 1st matching packet, any \
packets matching the rule for the next 25 seconds would be dropped and would generate \
an event. At second 30.00000001, the counter is reset and you start from \
scratch.</div> <div style><br></div><div style>You may also want to look at \
event_filter (<a href="http://manual.snort.org/node19.html#event_filtering">http://manual.snort.org/node19.html#event_filtering</a>), \
which only impacts the number of events generated. That&#39;s probably closer to what \
you want, given that you were using &quot;limit&quot; from the &quot;threshold&quot; \
keyword. Note, however, that event_filters are specified outside of the rule itself, \
in your snort.conf.</div> </div><div class="gmail_extra"><br><br><div \
class="gmail_quote">On Wed, Mar 20, 2013 at 11:40 AM, Miso Patel <span \
dir="ltr">&lt;<a href="mailto:miso.patel@gmail.com" \
target="_blank">miso.patel@gmail.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">I apologize for a simple question but I was hoping for some \
clarity on a situation from my engineers.<br><br>If a Snort signature is threshold \
(using the &quot;limit&quot; option), does this just limit alerts and does the \
dropping of this traffic if this rule is written to drop and the Snort is in \
&quot;IPS mode&quot; still happen even if the threshold is causing not all alerts to \
be generated?<br>

<br>I think it does  but the Snort manual does not make this clear or I am not \
reading the right pages.<br><br><span>Thanks.<br><br>-Miso, CISO<div><div><img></div> \
</div></span><br> <br>------------------------------------------------------------------------------<br>
 Everyone hates slow websites. So do we.<br>
Make your web apps faster with AppDynamics<br>
Download AppDynamics Lite for free today:<br>
<a href="http://p.sf.net/sfu/appdyn_d2d_mar" \
target="_blank">http://p.sf.net/sfu/appdyn_d2d_mar</a><br>_______________________________________________<br>
 Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
 <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about \
Snort!<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Alex \
Kirk<br>AEGIS Program Lead<br>Sourcefire Vulnerability Research Team<br> \
+1-410-423-1937<br><a \
href="mailto:alex.kirk@sourcefire.com">alex.kirk@sourcefire.com</a> </div>



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic