Project

General

Profile

Feature #425

Inspect the effects of mixing threshold and detection filters etc..

Added by Anoop Saldanha almost 7 years ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Low
Assignee:
Target version:
Effort:
Difficulty:

History

#1 Updated by Victor Julien over 6 years ago

  • Target version set to 1.4

#2 Updated by Victor Julien over 6 years ago

  • Target version changed from 1.4 to 1.4beta2

Currently we ignore threshold.conf entries if a rule already has thresholding set.

As the thresholds in a rule are a list, we could just start with allowing multiple entries. The matching engine should only return a match when all conditions are met. Conflicting conditions should be checked for then obviously.

#3 Updated by Victor Julien over 6 years ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Assigned
  • Assignee changed from Anoop Saldanha to Victor Julien

Related to #455.

#4 Updated by Victor Julien over 6 years ago

A signature with a threshold, e.g.:

alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)

Can be mixed with all types of global suppressions it seems. Tried:
suppress gen_id 1, sig_id 2002087, track by_src, ip xx
suppress gen_id 0, sig_id 0, track by_src, ip xx
suppress gen_id 1, sig_id 0, track by_src, ip xx
suppress gen_id 1, sig_id 2002087

#5 Updated by Victor Julien over 6 years ago

event_filter gen_id 1, sig_id 2002087, type limit, track by_src, count 1, seconds 3600

Should result in 1 alert, but gets 0.

#6 Updated by Victor Julien over 6 years ago

I've added support for suppressing thresholded sigs, but the other globals from threshold.config are not yet supported for sigs with a threshold.

#7 Updated by Victor Julien over 6 years ago

Added support for overriding per signature thresholds.

commit 82fc61770bd3cdeb5cf033bfa8f7dc2580ebffbc
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Sep 26 08:58:05 2012 +0200

    threshold: allow threshold.config to override rule

    Allow threshold.conf to override rule thresholds in the following
    cases:

    - threshold.config rule uses threshold or event_filter AND
    - threshold.config rule applies to a single signature (so no
      gid 0 or sid 0)

    Confirmed to work with both threshold and detection_filter rule
    keywords.

    Part of bug #425.

#8 Updated by Victor Julien over 6 years ago

  • Target version changed from 1.4beta2 to 1.4beta3

#9 Updated by Victor Julien about 6 years ago

  • Target version changed from 1.4beta3 to 1.4rc1

#10 Updated by Victor Julien about 6 years ago

  • Target version changed from 1.4rc1 to 2.0rc2
  • % Done changed from 0 to 40

Partly fixed for 1.4, work continues in 1.5.

#11 Updated by Victor Julien about 5 years ago

  • Priority changed from Normal to Low

#12 Updated by Victor Julien almost 5 years ago

  • Target version changed from 2.0rc2 to 3.0RC2

#13 Updated by Victor Julien over 3 years ago

  • Target version changed from 3.0RC2 to Soon

#14 Updated by Andreas Herz over 1 year ago

With rate_filter there is also a demand to override or combine the settings within the threshold.config and the used rules. This should match our documentation that when the ratelimit is reached the new_action should be applied and also needs to stay in that mode until timeout is reached. At the moment it's overriden by the threshold settings within the rule. (summary from discussion on the oisf-users ML with topic [Oisf-users] threshold.conf with rate_limit or drop rules in 9/2017)

Also available in: Atom PDF