README.thresholding

THRESHOLDING AND EVENT SUPPRESSION IN SNORT 

** This document describes the 'threshold' and 'suppress' keywords.  'threshold'
** is deprecated as of version 2.8.5.  'event_filter' should be used instead.
** See README.filters for more information.

A rule thresholding feature has been added to SNORT.  This feature is used to
reduce the number of logged alerts for noisy rules.  This can be tuned to
significantly reduce false alarms, and it can also be used to write a newer
breed of rules. Thresholding commands limit the number of times a particular
event is logged during a specified time interval. 

Global thresholding has also been added. This allows you to specify a
threshold for every rule.  Standard thresholding tests are applied 1st to an
event, if they do not block a rule from being logged than the global
thresholding test is applied - thresholds in a rule will always override a global.

Event suppression stops specified events from firing without removing the rule
from the rule base. Suppression uses a CIDR block notation to select specific
networks and users for suppression.  Suppression tests are performed prior to
either standard or global thresholding tests.

There are 3 types of thresholding:

1) Limit 
   Alert on the 1st M events during the time interval, then ignore events
   for the rest of the time interval.

2) Threshold 
   Alert every M times we see this event during the time interval.

3) Both 
   Alert once per time interval after seeing M occurrences of the event,
   then ignore any additional events during the time interval.
 
All tracking is by Src or by Dst IP, we do not track ports or anything else.

Thresholding commands can be included as part of a rule, or you can use
standalone threshold commands that reference the generator and sid  they are
applied to. There is no functional difference between adding a threshold to a
rule, or using a separate threshold command applied to the same rule.   There
is a logical difference.  Some rules may only make sense with a threshold.
These should incorporate the threshold command into the rule.  For instance a
rule for detecting a too many login password attempts may require more than 5
attempts.  This can be done using the 'limit' type of threshold command.  It
makes sense that the threshold feature is an integral part of this rule.

Suppression commands are standalone commands that reference generator's and
sid's and IP addresses via an IP list. This allows a rule to be completely
suppressed, or suppressed when the causative traffic is going to or coming
from a specific IP or group of IP addresses.

Events in SNORT are generated in the usual way, thresholding and event
suppression are handled as part of the output system.

You may apply only one threshold to any given sid, but you may apply multiple
suppression commands to a sid.  You may also combine one threshold command and
several suppression commands to the same sid.  If you try to apply more than
one threshold command to a sid, SNORT will terminate while reading the
configuration information. 

 
THRESHOLDING CONFIGURATION COMMAND:
----------------------------------- 

config threshold: memcap 3000000
	
The memcap parameter is specified in bytes.


THRESHOLD RULE FORMAT:
---------------------

threshold: type limit|threshold|both, track by_src|by_dst, count n , seconds m ;
 

THRESHOLD RULE OPTION PARAMETERS:
--------------------------------

threshold       keyword to start a threshold command in a rule. 

This format supports 4 threshold options - all are required.

    type		limit, threshold, both
    track		by_src , by_dst
    count		n : number events used by the thresholding
    seconds		m : time period over which count is accrued.


EXAMPLE RULES:
--------------

This rule logs the 1st event of this sid every 60 seconds

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type limit, track by_src, count 1 , seconds 60 ; sid:1852; rev:1;)
 

This rule logs every 10th event on this sid during a 60 second interval, so if
less than 10 occur in 60 seconds, nothing gets logged.  Once an event is
logged, a new time period starts for type=threshold.

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type threshold, track by_dst, count 10 , seconds 60 ; sid:1852; rev:1;)


This rule logs at most one event every 60 seconds if at least 10 events on this
sid are fired.

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type both , track by_dst, count 10 , seconds 60 ; sid:1852; rev:1;)


THRESHOLD COMMAND FORMAT:
-------------------------

threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track by_src|by_dst, count n , seconds m  


THRESHOLD COMMAND PARAMETERS:
----------------------------

This format supports 6 threshold options - all are required.

gen_id  gen-id 
sig_id  sig-id
type    limit, threshold, both
track   by_src, by_dst
count   n 
seconds m


GLOBAL THRESHOLDING COMMAND:
----------------------------

The global threshold options are the same as the standard threshold options
with the exception of the 'sig_id' field.  The sig_id field must be set to 0 to
indicate this threshold command applies to all sig_id values with the specified
gen_id. To apply the same threshold to all gen_id's at the same time, and with
just one command specify a value of gen_id=0.


GLOBAL THRESHOLD COMMAND FORMAT:
--------------------------------

threshold gen_id gen-id, sig_id 0, \
    type limit|threshold|both, \
    track by_src|by_dst, \
    count n , seconds m  

or 

threshold gen_id 0 , sig_id 0, \
    type limit|threshold|both, \
    track by_src|by_dst, \
    count n , seconds m  


THRESHOLD EXAMPLES:
------------------

# Rule Threshold - Limit to logging 1 event per 60 seconds
threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60


# Rule Threshold - Limit to logging every 3rd event
threshold gen_id 1, sig_id 1852, type threshold, track by_src, count 3, seconds 60

# Rule Threshold - Limit to logging just 1 event per 60 seconds, but only if 
# we exceed 30 events in 60 seconds
threshold gen_id 1, sig_id 1853, type both, track by_src,  count 30, seconds 60


# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 
# each rule
threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60

# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 
# each rule for each event generator
threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60

 
SUPPRESS COMMAND FORMAT:
-----------------------
suppress gen_id gen-id, sid_id sid-id, track by_src|by_dst, ip ip-list


SUPPRESS COMMAND PARAMETERS:
---------------------------

The suppress command supports either 2 or 4 options 
 
gen_id     gen-id            # always required 
sig_id     sig-id            # always required
track      by_src | by_dst   # optional - 4 option version
ip         ip-list           # optional - 4 option version


SUPPRESS EXAMPLES:
----------------- 

# Suppress this event completely
suppress gen_id 1, sig_id 1852

# Suppress this event from this IP
suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54

# Suppress this event to this CIDR block
suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24