Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: 3.9 Event Suppression Up: 3. Writing Snort Rules: Previous: 3.7 Post-Detection Rule Options   Contents

Subsections


3.8 Event Thresholding

Event thresholding can be used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

There are 3 types of thresholding:

  • limit

    Alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval.

  • threshold

    Alerts every m times we see this event during the time interval.

  • both

    Alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval.

Thresholding commands can be included as part of a rule, or you can use standalone threshold commands that reference the generator and SID they are applied to. There is no functional difference between adding a threshold to a rule, or using a separate threshold command applied to the same rule. There is a logical difference. Some rules may only make sense with a threshold. These should incorporate the threshold command into the rule. For instance, a rule for detecting a too many login password attempts may require more than 5 attempts. This can be done using the `limit' type of threshold command. It makes sense that the threshold feature is an integral part of this rule.

In order for rule thresholds to apply properly, these rules must contain a SID.

Only one threshold may be applied to any given generator and SID pair. If more than one threshold is applied to a generator and SID pair, Snort will terminate with an error while reading the configuration information.

3.8.1 Standalone Options

This format supports 6 threshold options as described in Table [*]--all are required.


Table: Standalone Options
Option Arguments
gen_id $<$generator ID$>$
sig_id $<$Snort signature ID$>$
type limit, threshold, or both
track by_src or by_dst
count $<$number of events$>$
seconds $<$time period over which count is accrued$>$

3.8.2 Standalone Format 

threshold gen_id <gen-id>, sig_id <sig-id>, \
    type <limit|threshold|both>, \
    track <by_src|by_dst>, count <s>, seconds <m>

3.8.3 Rule Keyword Format

This format supports 4 threshold options as described in Table [*]--all are required.


Table: Rule Keyword Options
Option Arguments
type limit, threshold, or both
track by_src or by_dst
count $<$number of events$>$
seconds $<$time period over which count is accrued$>$

3.8.4 Rule Keyword Format 

threshold: type <limit|threshold|both>, track <by_src|by_dst>, \
     count <n>, seconds <m>;

For either standalone or rule format, all tracking is by src or by dst ip, ports or anything else are not tracked.

Thresholding can also be used globally, this allows you to specify a threshold for every rule. Standard thresholding tests are applied first to an event, if they do not block a rule from being logged, and then the global thresholding test is applied--thresholds in a rule will override a global threshold. Global thresholds do not override what's in a signature or a more specific stand-alone threshold.

The global threshold options are the same as the standard threshold options with the exception of the `sig_id' field. The sig_id field must be set to 0 to indicate that this threshold command applies to all sig_id values with the specified gen_id. To apply the same threshold to all gen_id's at the same time, and with just one command specify a value of gen_id=0.

The format for global threshold commands is as such: 

threshold gen_id <gen-id>, sig_id 0, \
    type <limit|threshold|both>, \
    track <by_src|by_dst>, \
    count <n>, \
    seconds <m>

This applies a threshold to every event from $<$gen-id$>$.

or 

threshold gen_id 0 , sig_id 0, \
    type <limit|threshold|both>, \
    track <by_src|by_dst>, \
    count <n>, \
    seconds <m>

This applies a threshold to every event from every gen-id.

3.8.5 Examples

3.8.5.1 Standalone Thresholds

Limit logging to 1 event per 60 seconds: 

threshold gen_id 1, sig_id 1851, \
    type limit, track by_src,  \
    count 1, seconds 60

Limit logging to every 3rd event: 

threshold gen_id 1, sig_id 1852,  \
    type threshold, track by_src, \
    count 3, seconds 60

Limit logging to just 1 event per 60 seconds, but only if we exceed 30 events in 60 seconds: 

threshold gen_id 1, sig_id 1853, \
    type both, track by_src, \
    count 30, seconds 60

3.8.5.2 Rule Thresholds

This rule logs the first event of this SID every 60 seconds. 

alert tcp $external_net any -> $http_servers $http_ports \
    (msg:"web-misc robots.txt access"; flow:to_server, established; \
    uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
    classtype:web-application-activity; threshold: type limit, track \
    by_src, count 1 , seconds 60 ; sid:1000852; rev:1;)

This rule logs every 10th event on this SID during a 60 second interval. So if less than 10 events occur in 60 seconds, nothing gets logged. Once an event is logged, a new time period starts for type=threshold. 

alert tcp $external_net any -> $http_servers $http_ports \
    (msg:"web-misc robots.txt access"; flow:to_server, established; \
    uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
    classtype:web-application-activity; threshold: type threshold, \
    track by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;)

This rule logs at most one event every 60 seconds if at least 10 events on this SID are fired. 

alert tcp $external_net any -> $http_servers $http_ports \
    (msg:"web-misc robots.txt access"; flow:to_server, established; \
    uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
    classtype:web-application-activity; threshold: type both , track \
    by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;)

3.8.5.3 Global Thresholds

Limit to logging 1 event per 60 seconds per IP triggering each rule (rule gen_id is 1): 

threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60

Limit to logging 1 event per 60 seconds per IP, triggering each rule for each event generator: 

threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60

Events in Snort are generated in the usual way, thresholding is handled as part of the output system. Read gen-msg.map for details on gen ids.

Users can also configure a memcap for threshold with a ``config:'' option: 

config threshold: memcap <bytes>

next up previous contents
Next: 3.9 Event Suppression Up: 3. Writing Snort Rules: Previous: 3.7 Post-Detection Rule Options   Contents
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.