[Oisf-users] Global thresholds and event filters

Duane Howard duane.security at gmail.com
Tue Jul 14 15:14:20 UTC 2015

Hey, I currently have a line in my threshold.conf that looks like:
event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 20,
seconds 60

It's primarily there as a safeguard against Snort/Suricata blowing up our
analysis pipeline if a bad rule gets pushed, so not critical.

However, when loading Suri I get lots of warnings for each rule that has an
event filter set:

13/7/2015 -- 22:44:07 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
signature sid:2807051 has an event var set.  The signature event var is
given precedence over the threshold.conf one.  We'll change this in the
future though.

rule in question:
alert http any any -> $HTTP_SERVERS any (msg:"ETPRO TROJAN DoS DirtJumper
bot DDOS attack"; flow:established,from_client;
ru-RU,ru|3b|q=0.8,en-US|3b|q=0.5,en|3b|q=0.3|0d 0a|"; http_header;
content:"Referer|3a|"; http_header; pcre:"/Referer\x3a
http\x3a\/\/([a-z]*\d){4}[a-z0-9]*(\.[a-z]+){1,2}/H"; detection_filter:
track by_src, count 2, seconds 1; classtype:attempted-dos; sid:2807051;

Is this the correct behavior? Shouldn't a global filter be considered
regardless of whether an event filter is set in a rule?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150714/273afbde/attachment.html>

More information about the Oisf-users mailing list