Event Thresholding

Event thresholding can be used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

There are 3 types of thresholding:

limit
Alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval.
threshold
Alerts every m times we see this event during the time interval.
both
Alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval.

Thresholding commands can be included as part of a rule, or you can use standalone threshold commands that reference the generator and SID they are applied to. There is no functional difference between adding a threshold to a rule, or using a separate threshold command applied to the same rule. There is a logical difference. Some rules may only make sense with a threshold. These should incorporate the threshold command into the rule. For instance, a rule for detecting a too many login password attempts may require more than 5 attempts. This can be done using the `limit' type of threshold command. It makes sense that the threshold feature is an integral part of this rule.

In order for rule thresholds to apply properly, these rules must contain a SID.

Only one threshold may be applied to any given generator and SID pair. If more than one threshold is applied to a generator and SID pair, Snort will terminate with an error while reading the configuration information.

Subsections

Next: Standalone Options Up: Writing Snort Rules: How Previous: Example Contents

Steven Sturges 2006-12-08