Inspect the effects of mixing threshold and detection filters etc..
#2 Updated by Victor Julien over 6 years ago
- Target version changed from 1.4 to 1.4beta2
Currently we ignore threshold.conf entries if a rule already has thresholding set.
As the thresholds in a rule are a list, we could just start with allowing multiple entries. The matching engine should only return a match when all conditions are met. Conflicting conditions should be checked for then obviously.
#4 Updated by Victor Julien over 6 years ago
A signature with a threshold, e.g.:
alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)
Can be mixed with all types of global suppressions it seems. Tried:
suppress gen_id 1, sig_id 2002087, track by_src, ip xx suppress gen_id 0, sig_id 0, track by_src, ip xx suppress gen_id 1, sig_id 0, track by_src, ip xx suppress gen_id 1, sig_id 2002087
#7 Updated by Victor Julien over 6 years ago
Added support for overriding per signature thresholds.
commit 82fc61770bd3cdeb5cf033bfa8f7dc2580ebffbc Author: Victor Julien <firstname.lastname@example.org> Date: Wed Sep 26 08:58:05 2012 +0200 threshold: allow threshold.config to override rule Allow threshold.conf to override rule thresholds in the following cases: - threshold.config rule uses threshold or event_filter AND - threshold.config rule applies to a single signature (so no gid 0 or sid 0) Confirmed to work with both threshold and detection_filter rule keywords. Part of bug #425.
#14 Updated by Andreas Herz over 1 year ago
With rate_filter there is also a demand to override or combine the settings within the threshold.config and the used rules. This should match our documentation that when the ratelimit is reached the new_action should be applied and also needs to stay in that mode until timeout is reached. At the moment it's overriden by the threshold settings within the rule. (summary from discussion on the oisf-users ML with topic [Oisf-users] threshold.conf with rate_limit or drop rules in 9/2017)