Feature #122
closed
Add support for event_filter/rate_filter
Added by Will Metcalf over 14 years ago.
Updated over 14 years ago.
Description
If thresholding is truly going away in a future version of snort we need to create task(s) to support at a minimum event_filter and optionally rate_filter.
the event_filter portion of this covered by task 130. I would add one clarification in that for the time being we should be able to use event_filter and threshold within the config file interchangeably. A task should be created for rate_filter.
from the snort manual... We currently don't have support for rate_filter
"Format
event_filter \
gen_id <gid>, sig_id <sid>, \
type <limit|threshold|both>, \
track <by_src|by_dst>, \
count <c>, seconds <s>
threshold \
gen_id <gid>, sig_id <sid>, \
type <limit|threshold|both>, \
track <by_src|by_dst>, \
count <c>, seconds <s>
threshold is an alias for event filter. Both formats are equivalent and support the options described below - all
are required. threshold is deprecated and will not be supported in future releases."
- Due date changed from 05/16/2010 to 06/04/2010
- Target version changed from 1.0.0 to 0.9.2
- Estimated time set to 0.00 h
Will, what needs to be done for this?
It appears that we already have support for event_filter. Does it work like it should?
event_filter is indeed added although currently not working due to a bug see issue #172. We don't have support for rate_filter but maybe this can be moved to PII.
- Status changed from New to Closed
- Assignee changed from Victor Julien to Pablo Rincon
Patch by Pablo Rincon applied and pushed out.
Also available in: Atom
PDF