Project

General

Profile

Bug #455 » threshold.conf.txt

Ian Bowers, 04/24/2012 09:08 AM

 
1
# Configure Thresholding and Suppression
2
# ======================================
3
#
4
# The threshold command is deprecated.  Use detection_filter for thresholds
5
# within a rule and event_filter for standalone threshold configurations.
6
# Please see README.filters for more information on filters.
7
#
8
# Thresholding:
9
#
10
# This feature is used to reduce the number of logged alerts for noisy rules.
11
# This can be tuned to significantly reduce false alarms, and it can also be
12
# used to write a newer breed of rules. Thresholding commands limit the number
13
# of times a particular event is logged during a specified time interval.
14
#
15
# There are 3 types of event_filters:
16
#
17
# 1) Limit
18
#    Alert on the 1st M events during the time interval, then ignore
19
#    events for the rest of the time interval.
20
#
21
# 2) Threshold
22
#    Alert every M times we see this event during the time interval.
23
#
24
# 3) Both
25
#    Alert once per time interval after seeing M occurrences of the
26
#    event, then ignore any additional events during the time interval.
27
#
28
# Threshold commands are formatted as:
29
#
30
# event_filter gen_id gen-id, sig_id sig-id, \
31
#     type limit|threshold|both, track by_src|by_dst, \
32
#     count n , seconds m
33
#
34
# Limit to logging 1 event per 60 seconds:
35
#
36
# event_filter gen_id 1, sig_id 1851, type limit, \
37
#     track by_src, count 1, seconds 60
38
#
39
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
40
# each rule (rules are gen_id 1):
41
#
42
# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
43
#
44
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
45
# any alert for any event generator:
46
#
47
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
48
#
49
# Suppression:
50
#
51
# Suppression commands are standalone commands that reference generators and
52
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
53
# completely suppressed, or suppressed when the causitive traffic is going to
54
# or comming from a specific IP or group of IP addresses.
55
#
56
# Suppress this event completely:
57
#
58
# suppress gen_id 1, sig_id 1852
59
#
60
# Suppress this event from this IP:
61
#
62
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
63
#
64
# Suppress this event to this CIDR block:
65
#
66
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
67
#
68
# working example from iggbsd2 snort:
69
#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2
70
# Sometimes I idle in IRC
71
suppress gen_id 1, sig_id 2404152, track by_src, ip 192.168.2.2
72
suppress gen_id 1, sig_id 2404154, track by_src, ip 192.168.2.2
73
suppress gen_id 1, sig_id 2002026, track by_src, ip 192.168.2.2
74
#apt updates
75
suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.2
76
suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.3
77
suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.216
78
# nerds play wow, fires on launcher.exe
79
suppress gen_id 1, sig_id 2010645, track by_dst, ip 12.129.222.51
80
#
81
####
82
# torrent related false positives
83
####
84
suppress gen_id 1, sig_id 2406000, track by_src, ip 108.59.1.205
85
suppress gen_id 1, sig_id 2406001, track by_src, ip 108.59.1.205
(1-1/4)