<div dir="ltr"><div dir="ltr">It looks like you can use threshold in the threshold.conf file or you can also use rate_filter to change the action from alert to pass and that might work as well.  </div><div dir="ltr"><br></div><div dir="ltr"><pre style="box-sizing:border-box;font-family:Consolas,"Andale Mono WT","Andale Mono","Lucida Console","Lucida Sans Typewriter","DejaVu Sans Mono","Bitstream Vera Sans Mono","Liberation Mono","Nimbus Mono L",Monaco,"Courier New",Courier,monospace;font-size:12px;margin-top:0px;margin-bottom:0px;padding:12px;overflow:auto;line-height:normal;color:rgb(64,64,64)"><span class="gmail-n" style="box-sizing:border-box">threshold</span> <span class="gmail-n" style="box-sizing:border-box">gen_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">1</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">sig_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">2002087</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-nb" style="box-sizing:border-box;color:rgb(0,112,32)">type</span> <span class="gmail-n" style="box-sizing:border-box">both</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">track</span> <span class="gmail-n" style="box-sizing:border-box">by_src</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">count</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">3</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">seconds</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">5</span>
<span class="gmail-n" style="box-sizing:border-box">threshold</span> <span class="gmail-n" style="box-sizing:border-box">gen_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">1</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">sig_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">2002087</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-nb" style="box-sizing:border-box;color:rgb(0,112,32)">type</span> <span class="gmail-n" style="box-sizing:border-box">threshold</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">track</span> <span class="gmail-n" style="box-sizing:border-box">by_src</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">count</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">10</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">seconds</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">60</span>
<span class="gmail-n" style="box-sizing:border-box">threshold</span> <span class="gmail-n" style="box-sizing:border-box">gen_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">1</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">sig_id</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">2002087</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-nb" style="box-sizing:border-box;color:rgb(0,112,32)">type</span> <span class="gmail-n" style="box-sizing:border-box">limit</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">track</span> <span class="gmail-n" style="box-sizing:border-box">by_src</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">count</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">1</span><span class="gmail-p" style="box-sizing:border-box">,</span> <span class="gmail-n" style="box-sizing:border-box">seconds</span> <span class="gmail-mi" style="box-sizing:border-box;color:rgb(32,128,80)">15</span></pre><div><br></div><div><a href="https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html#id3">https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html#id3</a><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 11, 2019 at 4:32 AM Davide Setti <<a href="mailto:d.setti@certego.net">d.setti@certego.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi all,<div><br></div><div>We were reading about "detection filter" (<a href="https://suricata.readthedocs.io/en/suricata-4.1.2/rules/thresholding.html#detection-filter" target="_blank">https://suricata.readthedocs.io/en/suricata-4.1.2/rules/thresholding.html#detection-filter</a>) to reduce the noise of some signatures (mainly mirai related).</div><div><br></div><div>We would like to avoid any in place changes to  these rules.</div><div><br></div><div>Does "detection filter" works also in global threshold configuration?</div><div><br></div><div>If yes, this should be better explained in the docs <a href="https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html" target="_blank">https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html</a> .</div><div><br></div><div>Regards,</div><div>Davide<br>-- <br><div dir="ltr" class="gmail-m_5640462380376100963gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius: 0px;"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius: 0px; border: 0px; width: 24px; min-height: 24px;"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>