[Oisf-users] Global thresholds and event filters

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 15 15:35:13 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would say no, as there are rules at use the threshold as a detection
mechanism:

> alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)";  flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:18;)

... so you probably don't want to over-ride the defaults in this case.

I personally have a pretty convoluted process that involves tagging
rules like this so they don't get over-written by our oinkmaster
configuration.

- -Coop

On 7/14/2015 8:14 AM, Duane Howard wrote:
> Is this the correct behavior? Shouldn't a global filter be considered
> regardless of whether an event filter is set in a rule?


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVpn2xAAoJEKIFRYQsa8FWvzMIAJo+yPpDpOc05t0VDgnv6u3d
ZD9XPLCUzTn7BMHtaei4IL2DcL002jXW7x5TrG3tJ8byOFsTHTf2Q7kDYQH15p7P
JklNayHzd4Zhe1dR6mdkTXCcweaIRRBvC+vGZz5dx/O0ayKvkjoVLpvNaS7bgsQb
AuKBeoLfGdYsQjaQ83fLOVZt22CHVNmFZ2zPQJbhi1w/EshWfS7m7FpjdXADdTnB
XxEG+ZMyXOPMLCDcERdqQ84e2w2YB5VfSqyffkYN1Tx6fmQwuEXqOBRZ7QD5jqku
rc+wmB+xyL8WUTghqgaq3MhnM5us9KFOSYAYpE7vKq0KpFWRXNMsdilqh4ujujk=
=OwKv
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list