[Oisf-users] Detection filters in global config

Davide Setti d.setti at certego.net
Mon Mar 11 13:58:43 UTC 2019


I know that "threshold", "suppress" and "rate_filter" can be configured in
the global file. But thats not what I am looking into now.

I would like to use "detection_filter" logic (
https://suricata.readthedocs.io/en/suricata-4.1.2/rules/thresholding.html#detection-filter)
here, preventing me to use any rewrite on a particular rule.

"The detection_filter keyword can be used to alert on every match after a
threshold has been reached. It differs from the threshold with type
threshold in that it generates an alert for each rule match after the
initial threshold has been reached, where the latter will reset it’s
internal counter and alert again when the threshold has been reached again."

As of now paragraf 8.2.2.2 of the docs does not tell anything about
"detection_filter",
its only about "threshold".

Regards,
Davide

Il giorno lun 11 mar 2019 alle ore 14:47 b smith <x62smith at gmail.com> ha
scritto:

> It looks like you can use threshold in the threshold.conf file or you can
> also use rate_filter to change the action from alert to pass and that might
> work as well.
>
> threshold gen_id 1, sig_id 2002087, type both, track by_src, count 3, seconds 5threshold gen_id 1, sig_id 2002087, type threshold, track by_src, count 10, seconds 60threshold gen_id 1, sig_id 2002087, type limit, track by_src, count 1, seconds 15
>
>
>
> https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html#id3
>
> On Mon, Mar 11, 2019 at 4:32 AM Davide Setti <d.setti at certego.net> wrote:
>
>> Hi all,
>>
>> We were reading about "detection filter" (
>> https://suricata.readthedocs.io/en/suricata-4.1.2/rules/thresholding.html#detection-filter)
>> to reduce the noise of some signatures (mainly mirai related).
>>
>> We would like to avoid any in place changes to  these rules.
>>
>> Does "detection filter" works also in global threshold configuration?
>>
>> If yes, this should be better explained in the docs
>> https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html
>> .
>>
>> Regards,
>> Davide
>> --
>> <http://www.certego.net/>
>> Davide Setti
>> R&D and Incident Response Team, Certego
>> <http://www.linkedin.com/company/certego>
>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>> <http://www.youtube.com/CERTEGOsrl>
>> <http://plus.google.com/117641917176532015312>
>> Use of the information within this document constitutes acceptance for
>> use in an "as is" condition. There are no warranties with regard to this
>> information; Certego has verified the data as thoroughly as possible. Any
>> use of this information lies within the user's responsibility. In no event
>> shall Certego be liable for any consequences or damages, including direct,
>> indirect, incidental, consequential, loss of business profits or special
>> damages, arising out of or in connection with the use or spread of this
>> information.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>

-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190311/f6a382b8/attachment-0001.html>


More information about the Oisf-users mailing list