Snort: Global Threshold



  • Hello,
    I am totally new in this forum. I am using pfSense v.1.2.3-Release, I found very useful that Snort is integrated and blocking attacks/intruders.

    I would like to activate also the "Block offenders" options, but if I just enable it I will have a lot of false positives, or people that get banned from my network just because they made a mistake accessing their pop3 account.

    So I found out the magic word: Global Threshold. I would like that pfSense blocks the attacking ip only if from that ip are reported more than n events in t seconds, so I wrote the following rule:

    threshold gen_id 0, sig_id 0, type both, count 40, seconds 600

    in order to blocks the ips that generate more than 40 events in 10 minutes (all the events managed by Snort), but unfortunately it doesn't work (ips are banned at the first event).

    How can I solve this?

    Thank a lot,
    Michele



  • ok, I made it…

    event_filter gen_id 0, sig_id 0, type both, track by_src, count 40, seconds 600

    Also, the Snort service needs to be restarted to apply a change to the suppression file...

    Hope will be useful to the community.

    Michele



  • Thank you so unbelievable very much for this. Super helpful tbh. I've been so frustrated sometimes by false positives - Thumbs up for this!


Log in to reply