[Oisf-users] Global thresholds and event filters
Victor Julien
lists at inliniac.net
Thu Jul 16 10:07:39 UTC 2015
On 07/14/2015 05:14 PM, Duane Howard wrote:
> Hey, I currently have a line in my threshold.conf that looks like:
> event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 20,
> seconds 60
>
> It's primarily there as a safeguard against Snort/Suricata blowing up
> our analysis pipeline if a bad rule gets pushed, so not critical.
>
> However, when loading Suri I get lots of warnings for each rule that has
> an event filter set:
>
> 13/7/2015 -- 22:44:07 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)]
> - signature sid:2807051 has an event var set. The signature event var
> is given precedence over the threshold.conf one. We'll change this in
> the future though.
>
> rule in question:
> alert http any any -> $HTTP_SERVERS any (msg:"ETPRO TROJAN DoS
> DirtJumper bot DDOS attack"; flow:established,from_client;
> content:"Accept-Language|3a|
> ru-RU,ru|3b|q=0.8,en-US|3b|q=0.5,en|3b|q=0.3|0d 0a|"; http_header;
> content:"Referer|3a|"; http_header; pcre:"/Referer\x3a
> http\x3a\/\/([a-z]*\d){4}[a-z0-9]*(\.[a-z]+){1,2}/H"; detection_filter:
> track by_src, count 2, seconds 1; classtype:attempted-dos; sid:2807051;
> rev:4;)
>
> Is this the correct behavior? Shouldn't a global filter be considered
> regardless of whether an event filter is set in a rule?
>
Ideally yes, but this is a limitation of the currently implementation.
We're tracking progress here
https://redmine.openinfosecfoundation.org/issues/425
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list