[Oisf-users] Global thresholds and event filters
Duane Howard
duane.security at gmail.com
Tue Jul 14 15:14:20 UTC 2015
Hey, I currently have a line in my threshold.conf that looks like:
event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 20,
seconds 60
It's primarily there as a safeguard against Snort/Suricata blowing up our
analysis pipeline if a bad rule gets pushed, so not critical.
However, when loading Suri I get lots of warnings for each rule that has an
event filter set:
13/7/2015 -- 22:44:07 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] -
signature sid:2807051 has an event var set. The signature event var is
given precedence over the threshold.conf one. We'll change this in the
future though.
rule in question:
alert http any any -> $HTTP_SERVERS any (msg:"ETPRO TROJAN DoS DirtJumper
bot DDOS attack"; flow:established,from_client;
content:"Accept-Language|3a|
ru-RU,ru|3b|q=0.8,en-US|3b|q=0.5,en|3b|q=0.3|0d 0a|"; http_header;
content:"Referer|3a|"; http_header; pcre:"/Referer\x3a
http\x3a\/\/([a-z]*\d){4}[a-z0-9]*(\.[a-z]+){1,2}/H"; detection_filter:
track by_src, count 2, seconds 1; classtype:attempted-dos; sid:2807051;
rev:4;)
Is this the correct behavior? Shouldn't a global filter be considered
regardless of whether an event filter is set in a rule?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150714/273afbde/attachment.html>
More information about the Oisf-users
mailing list