Snort - Tune Alarms

From open-voip.org

Jump to: navigation, search

Configure Thresholding and Suppression

Event filter - Thresholding:

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

There are 3 types of event_filters:

  • 1) Limit

Alert on the 1st M events during the time interval, then ignore events for the rest of the time interval.

  • 2) Threshold

Alert every M times we see this event during the time interval.

  • 3) Both

Alert once per time interval after seeing M occurrences of the event, then ignore any additional events during the time interval.

Threshold commands are formatted as:

event_filter gen_id gen-id, sig_id sig-id, \
     type limit|threshold|both, track by_src|by_dst, \
     count n , seconds m

Limit to logging 1 event per 60 seconds:

event_filter gen_id 1, sig_id 1851, type limit, \
track by_src, count 1, seconds 60

Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering

each rule (rules are gen_id 1):
event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60

Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering

any alert for any event generator:
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60

Suppression:

Suppression commands are standalone commands that reference generators and sids and IP addresses via a CIDR block (or IP list). This allows a rule to be completely suppressed, or suppressed when the causitive traffic is going to or comming from a specific IP or group of IP addresses.

Suppress this event completely:

suppress gen_id 1, sig_id 1852

Suppress this event from this IP:

suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54

Suppress this event to this CIDR block:

suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

rate filter

rate filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded. Multiple rate filters can be defined on the same rule, in which case they are evaluated in the order they appear in the configuration file, and the first applicable action is taken. Format Rate filters are used as standalone configurations (outside of a rule) and have the following format:

rate_filter \
gen_id <gid>, sig_id <sid>, \
track <by_src|by_dst|by_rule>, \
count <c>, seconds , \
new_action alert|drop|pass|log|sdrop|reject, \
timeout <seconds> \
[, apply_to <ip-list>]
Personal tools