Snort provides a variety of mechanisms to tune event processing to suit your needs:
You can use detection filters to specify a threshold that must be exceeded before a rule generates an event. This is covered in section .
You can use rate filters to change a rule action when the number or rate of events indicates a possible attack.
You can use event filters to reduce the number of logged events for noisy rules. This can be tuned to significantly reduce false alarms.
You can completely suppress the logging of uninteresting events.
rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded. Multiple rate filters can be defined on the same rule, in which case they are evaluated in the order they appear in the configuration file, and the first applicable action is taken.
Rate filters are used as standalone configurations (outside of a rule) and have the following format:
rate_filter \ gen_id <gid>, sig_id <sid>, \ track <by_src|by_dst|by_rule>, \ count <c>, seconds <s>, \ new_action alert|drop|pass|log|sdrop|reject, \ timeout <seconds> \ [, apply_to <ip-list>]
The options are described in the table below - all are required except apply_to, which is optional.
Option | Description |
---|---|
track by_src | by_dst | by_rule | rate is tracked either by source IP address, destination IP address, or by rule. This means the match statistics are maintained for each unique source IP address, for each unique destination IP address, or they are aggregated at rule level. For rules related to Stream sessions, source and destination means client and server respectively. track by_rule and apply_to may not be used together. |
count c | the maximum number of rule matches in s seconds before the rate filter limit to is exceeded. c must be nonzero value. |
seconds s | the time period over which count is accrued. 0 seconds means count is a total count instead of a specific rate. For example, rate_filter may be used to detect if the number of connections to a specific server exceed a specific count. 0 seconds only applies to internal rules (gen_id 135) and other use will produce a fatal error by Snort. |
new_action alert | drop | pass | log | sdrop | reject | new_action replaces rule action for t seconds. drop, reject, and sdrop can be used only when snort is used in inline mode. sdrop and reject are conditionally compiled with GIDS. |
timeout t | revert to the original rule action after t seconds. If t is 0, then rule action is never reverted back. An event_filter may be used to manage number of alerts after the rule action is enabled by rate_filter. |
apply_to <ip-list> | restrict the configuration to only to source or destination IP address (indicated by track parameter) determined by <ip-list>. track by_rule and apply_to may not be used together. Note that events are generated during the timeout period, even if the rate falls below the configured limit. |
Example 1 - allow a maximum of 100 connection attempts per second from any one IP address, and block further connection attempts from that IP address for 10 seconds:
rate_filter \ gen_id 135, sig_id 1, \ track by_src, \ count 100, seconds 1, \ new_action drop, timeout 10
Example 2 - allow a maximum of 100 successful simultaneous connections from any one IP address, and block further connections from that IP address for 10 seconds:
rate_filter \ gen_id 135, sig_id 2, \ track by_src, \ count 100, seconds 0, \ new_action drop, timeout 10
Event filtering can be used to reduce the number of logged alerts for noisy rules by limiting the number of times a particular event is logged during a specified time interval. This can be tuned to significantly reduce false alarms.
There are 3 types of event filters:
Alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval.
Alerts every m times we see this event during the time interval.
Alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval.
event_filter \ gen_id <gid>, sig_id <sid>, \ type <limit|threshold|both>, \ track <by_src|by_dst>, \ count <c>, seconds <s> threshold \ gen_id <gid>, sig_id <sid>, \ type <limit|threshold|both>, \ track <by_src|by_dst>, \ count <c>, seconds <s>
threshold is an alias for event_filter. Both formats are equivalent and support the options described below - all are required. threshold is deprecated and will not be supported in future releases.
Option | Description |
---|---|
gen_id <gid> | Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a "global" threshold that applies to all rules. |
sig_id <sid> | Specify the signature ID of an associated rule. sig_id 0 specifies a "global" filter because it applies to all sig_ids for the given gen_id. |
type limit|threshold|both | type limit alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval. Type threshold alerts every m times we see this event during the time interval. Type both alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval. |
track by_src|by_dst | rate is tracked either by source IP address, or destination IP address. This means count is maintained for each unique source IP addresses, or for each unique destination IP addresses. Ports or anything else are not tracked. |
count c | number of rule matching in s seconds that will cause event_filter limit to be exceeded. c must be nonzero value. A value of -1 disables the event filter and can be used to override the global event_filter. |
seconds s | time period over which count is accrued. s must be nonzero value. |
Note:
Only one event_filter may be defined for a given gen_id, sig_id. If more than one event_filter is applied to a specific gen_id, sig_id pair, Snort will terminate with an error while reading the configuration information.
|
event_filters with sig_id 0 are considered "global" because they apply to all rules with the given gen_id. If gen_id is also 0, then the filter applies to all rules. (gen_id 0, sig_id != 0 is not allowed). Standard filtering tests are applied first, if they do not block an event from being logged, the global filtering test is applied. Thresholds in a rule (deprecated) will override a global event_filter. Global event_filters do not override what's in a signature or a more specific stand-alone event_filter.
Note: event_filters can be used to suppress excessive rate_filter alerts, however, the first new_action event of the timeout period is never suppressed. Such events indicate a change of state that are significant to the user monitoring the network. |
Limit logging to 1 event per 60 seconds:
event_filter \ gen_id 1, sig_id 1851, \ type limit, track by_src, \ count 1, seconds 60
Limit logging to every 3rd event:
event_filter \ gen_id 1, sig_id 1852, \ type threshold, track by_src, \ count 3, seconds 60
Limit logging to just 1 event per 60 seconds, but only if we exceed 30 events in 60 seconds:
event_filter \ gen_id 1, sig_id 1853, \ type both, track by_src, \ count 30, seconds 60
Limit to logging 1 event per 60 seconds per IP triggering each rule (rule gen_id is 1):
event_filter \ gen_id 1, sig_id 0, \ type limit, track by_src, \ count 1, seconds 60
Limit to logging 1 event per 60 seconds per IP, triggering each rule for each event generator:
event_filter \ gen_id 0, sig_id 0, \ type limit, track by_src, \ count 1, seconds 60
Events in Snort are generated in the usual way, event filters are handled as part of the output system. Read gen-msg.map for details on gen ids.
Users can also configure a memcap for threshold with a “config:” option:
config event_filter: memcap <bytes> # this is deprecated: config threshold: memcap <bytes>
Event suppression stops specified events from firing without removing the rule from the rule base. Suppression uses an IP list to select specific networks and users for suppression. Suppression tests are performed prior to either standard or global thresholding tests.
Suppression are standalone configurations that reference generators, SIDs, and IP addresses via an IP list . This allows a rule to be completely suppressed, or suppressed when the causative traffic is going to or coming from a specific IP or group of IP addresses.
You may apply multiple suppressions to a non-zero SID. You may also combine one event_filter and several suppressions to the same non-zero SID.
The suppress configuration has two forms:
suppress \ gen_id <gid>, sig_id <sid>
suppress \ gen_id <gid>, sig_id <sid>, \ track <by_src|by_dst>, ip <ip-list>
Option | Description |
---|---|
gen_id <gid> | Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a "global" threshold that applies to all rules. |
sig_id <sid> | Specify the signature ID of an associated rule. sig_id 0 specifies a "global" filter because it applies to all sig_ids for the given gen_id. |
track by_src|by_dst | Suppress by source IP address or destination IP address. This is optional, but if present, ip must be provided as well. |
ip <list> | Restrict the suppression to only source or destination IP addresses (indicated by track parameter) determined by list. If track is provided, ip must be provided as well. |
Suppress this event completely:
suppress gen_id 1, sig_id 1852:
Suppress this event from this IP:
suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
Suppress this event to this CIDR block:
suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
Snort supports logging multiple events per packet/stream that are prioritized with different insertion methods, such as max content length or event ordering using the event queue.
The general configuration of the event queue is as follows:
config event_queue: [max_queue [size]] [log [size]] [order_events [TYPE]]
There are three configuration options to the configuration parameter 'event_queue'.
This determines the maximum size of the event queue. For example, if the event queue has a max size of 8, only 8 events will be stored for a single packet or stream.
The default value is 8.
This determines the number of events to log for a given packet or stream. You can't log more than the max_event number that was specified.
The default value is 3.
This argument determines the way that the incoming events are ordered. We currently have two different methods:
The method in which events are ordered does not affect rule types such as pass, alert, log, etc.
The default value is content_length.
The default configuration:
config event_queue: max_queue 8 log 3 order_events content_length
Example of a reconfigured event queue:
config event_queue: max_queue 10 log 3 order_events content_length
Use the default event queue values, but change event order:
config event_queue: order_events priority
Use the default event queue values but change the number of logged events:
config event_queue: log 2
Snort supports logging additional information to a file about the events it is generating relative to specific blocks of data that are matching the rule. The blocks of data logged include information about the event, the GID, SID, and other data related to the event itself, plus packet data including sizes, timestamps, raw, normalized, and decompressed buffers extracted from the packet that may have been used in evaluating the rule. The amount of packet data written is limited with each entry. This is useful in debugging rules.
The config option event_trace to snort.conf provides this control.
The general configuration for event tracing is as follows:
config event_trace: [file <filename>] [max_data <int>]
The are two configuration options for event_trace.
This sets the file name into which the trace data is written, within Snort's log directory (see -l command line option).
The default is event_trace.txt.
This specifies the maximum number of bytes from each buffer of data to write into the file.
The default is 64 bytes and valid values range from 1 to 65535 bytes.
The default configuration:
config event_trace: file event_trace.txt max_data 64
Use the default file, but change the amount of data logged:
config event_trace: max_data 128
Change the file name to which event traces are logged:
config event_trace: file snort_event_trace.out