File: threshold.conf

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (61 lines) | stat: -rw-r--r-- 2,319 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Configure Thresholding and Suppression
# ======================================
#
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# This can be tuned to significantly reduce false alarms, and it can also be
# used to write a newer breed of rules. Thresholding commands limit the number
# of times a particular event is logged during a specified time interval.
# There are 3 types of thresholding:
#
#        1) Limit
#           Alert on the 1st M events during the time interval, then ignore
#           events
#           for the rest of the time interval.
#        2) Threshold
#           Alert every M times we see this event during the time interval.
#        3) Both
#           Alert once per time interval after seeing M occurrences of the
#           event,
#           then ignore any additional events during the time interval.
#
# Threshold commands are formatted as:
# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
# by_src|by_dst, count n , seconds m
#
# Limit to logging 1 event per 60 seconds
# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds
# 60

# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# each rule (rules are gen_id 1).
# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60

# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# any alert for any event generator
# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
#
# Thresholding does not need to be a stand-alone command, and can instead be
# written directly into a rule. Please see README.thresholding for more
# information on thresholding.
#
# Suppression:
#
# Suppression commands are standalone commands that reference generators and
# sids and IP addresses via a CIDR block. This allows a rule to be completely
# suppressed, or suppressed when the causitive traffic is going to or comming
# from a specific IP or group of IP addresses.
#
#  Suppress this event completely
#
# suppress gen_id 1, sig_id 1852
#
#  Suppress this event from this IP
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
#  Suppress this event to this CIDR block
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24