Current state of Sharingan role -- still need to add rkhunter
This commit is contained in:
69
roles/Sharingan/files/suricata/threshold.config
Normal file
69
roles/Sharingan/files/suricata/threshold.config
Normal file
@@ -0,0 +1,69 @@
|
||||
# Configure Thresholding and Suppression
|
||||
# ======================================
|
||||
#
|
||||
# The threshold command is deprecated. Use detection_filter for thresholds
|
||||
# within a rule and event_filter for standalone threshold configurations.
|
||||
# Please see README.filters for more information on filters.
|
||||
#
|
||||
# Thresholding:
|
||||
#
|
||||
# This feature is used to reduce the number of logged alerts for noisy rules.
|
||||
# This can be tuned to significantly reduce false alarms, and it can also be
|
||||
# used to write a newer breed of rules. Thresholding commands limit the number
|
||||
# of times a particular event is logged during a specified time interval.
|
||||
#
|
||||
# There are 3 types of event_filters:
|
||||
#
|
||||
# 1) Limit
|
||||
# Alert on the 1st M events during the time interval, then ignore
|
||||
# events for the rest of the time interval.
|
||||
#
|
||||
# 2) Threshold
|
||||
# Alert every M times we see this event during the time interval.
|
||||
#
|
||||
# 3) Both
|
||||
# Alert once per time interval after seeing M occurrences of the
|
||||
# event, then ignore any additional events during the time interval.
|
||||
#
|
||||
# Threshold commands are formatted as:
|
||||
#
|
||||
# event_filter gen_id gen-id, sig_id sig-id, \
|
||||
# type limit|threshold|both, track by_src|by_dst, \
|
||||
# count n , seconds m
|
||||
#
|
||||
# Limit to logging 1 event per 60 seconds:
|
||||
#
|
||||
# event_filter gen_id 1, sig_id 1851, type limit, \
|
||||
# track by_src, count 1, seconds 60
|
||||
#
|
||||
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
|
||||
# each rule (rules are gen_id 1):
|
||||
#
|
||||
# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
|
||||
#
|
||||
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
|
||||
# any alert for any event generator:
|
||||
#
|
||||
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
|
||||
#
|
||||
# Suppression:
|
||||
#
|
||||
# Suppression commands are standalone commands that reference generators and
|
||||
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
|
||||
# completely suppressed, or suppressed when the causitive traffic is going to
|
||||
# or comming from a specific IP or group of IP addresses.
|
||||
#
|
||||
# Suppress this event completely:
|
||||
#
|
||||
# suppress gen_id 1, sig_id 1852
|
||||
#
|
||||
# Suppress this event from this IP:
|
||||
#
|
||||
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
|
||||
#
|
||||
# Suppress this event to this CIDR block:
|
||||
#
|
||||
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
|
||||
#
|
||||
# working example from iggbsd2 snort:
|
||||
#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2
|
||||
Reference in New Issue
Block a user