Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Standalone Options Up: Writing Snort Rules: How Previous: Post-Detection Quick Reference   Contents


Event Thresholding

Event thresholding can be used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

There are 3 types of thresholding:

  • limit

    Alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval.

  • threshold

    Alerts every m times we see this event during the time interval.

  • both

    Alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval.

Thresholding commands can be included as part of a rule, or you can use standalone threshold commands that reference the generator and SID they are applied to. There is no functional difference between adding a threshold to a rule, or using a separate threshold command applied to the same rule. There is a logical difference. Some rules may only make sense with a threshold. These should incorporate the threshold command into the rule. For instance, a rule for detecting a too many login password attempts may require more than 5 attempts. This can be done using the `limit' type of threshold command. It makes sense that the threshold feature is an integral part of this rule.

In order for rule thresholds to apply properly, these rules must contain a SID.

Only one threshold may be applied to any given generator and SID pair. If more than one threshold is applied to a generator and SID pair, Snort will terminate with an error while reading the configuration information.


Subsections
next up previous contents
Next: Standalone Options Up: Writing Snort Rules: How Previous: Post-Detection Quick Reference   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.