Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort as IPS - Blocking threshold

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hello,

      just wondering if there is currently any option that allows setting-up a threshold for the snort block offenders feature?

      For example i use some rules such as 1:2017616 ET SCAN NETWORK, which should create a drop rule only after multiple occurrences have been captured by the snort IDS.

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        You can refine the Portscan Detection in the Pre-Processor Tab in Snort to adjust the sensitivity and also ignore certain IPs.

        Can also manually create rules with the "threshold" setting:
        http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

        However, its not something that currently exists in the GUI to set as an option…

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          In a similar vein to manually creating rules as BBcan177 suggested, you can also manually create/edit a Suppress List and add thresholding values to GID:SID pairs.  After creating/editing the suppress list, make sure it is selected as "active" on the INTERFACE SETTINGS tab, and then restart Snort on the interface.

          Go to the SUPPRESS tab and either edit an existing list or create a new one and add the new threshold rule.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.