4. Snort as IPS - Blocking threshold

Snort as IPS - Blocking threshold

  • ?

    Hello,

    just wondering if there is currently any option that allows setting-up a threshold for the snort block offenders feature?

    For example i use some rules such as 1:2017616 ET SCAN NETWORK, which should create a drop rule only after multiple occurrences have been captured by the snort IDS.

    Thanks in advance

    0
  • Moderator

    You can refine the Portscan Detection in the Pre-Processor Tab in Snort to adjust the sensitivity and also ignore certain IPs.

    Can also manually create rules with the "threshold" setting:
    http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html

    However, its not something that currently exists in the GUI to set as an option…

    0

  • In a similar vein to manually creating rules as BBcan177 suggested, you can also manually create/edit a Suppress List and add thresholding values to GID:SID pairs.  After creating/editing the suppress list, make sure it is selected as "active" on the INTERFACE SETTINGS tab, and then restart Snort on the interface.

    Go to the SUPPRESS tab and either edit an existing list or create a new one and add the new threshold rule.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy