Snort as IPS - Blocking threshold



  • Hello,

    just wondering if there is currently any option that allows setting-up a threshold for the snort block offenders feature?

    For example i use some rules such as 1:2017616 ET SCAN NETWORK, which should create a drop rule only after multiple occurrences have been captured by the snort IDS.

    Thanks in advance


  • Moderator

    You can refine the Portscan Detection in the Pre-Processor Tab in Snort to adjust the sensitivity and also ignore certain IPs.

    Can also manually create rules with the "threshold" setting:
    http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

    However, its not something that currently exists in the GUI to set as an option…



  • In a similar vein to manually creating rules as BBcan177 suggested, you can also manually create/edit a Suppress List and add thresholding values to GID:SID pairs.  After creating/editing the suppress list, make sure it is selected as "active" on the INTERFACE SETTINGS tab, and then restart Snort on the interface.

    Go to the SUPPRESS tab and either edit an existing list or create a new one and add the new threshold rule.

    Bill


Log in to reply