[Oisf-users] Configure Suricata drop rule to drop whole source

Fri Aug 22 18:38:50 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, currently you can't have separate time windows for
detection/alerting.  For now its merged:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding

> type both, track by_src, count 10, seconds 10;

So you can set the count/time to 10 seconds, but not a count of 10 for
60 seconds.

If you want to do something like that, the way you do it have another
process to watch the alerts file and then add a firewall rule.  You
could have a cron job to periodically check for expired rules to remove
them.

- -Coop

On 8/22/2014 10:59 AM, First Root | Michael wrote:
> Hello Cooper,
> 
> thanks for your response.
> 
> but if i adjust the threshold value it also highers the period in which
> the counter is increased? 
> 
> Simply spoken, isn't there a way to create a rule that triggers if
> threshold count 10 in 10 seconds and then drop it for 60 seconds?
> 
> Regards
> Michael
> 
> Am 22.08.2014 um 19:54 schrieb Cooper F. Nelson <cnelson at ucsd.edu
> <mailto:cnelson at ucsd.edu>>:
> 
>> Signierter PGP Teil
>> You are telling suricata to only drop traffic for 10 seconds via the
>> threshold rule.  You probably shouldn't use thresholding for 'drop'
>> rules unless you are trying to drop floods/DOS or attempting to do some
>> kind of rate-shaping.
>>
>> If you really want to drop all port 80 traffic try this rule:
>>
>> > drop tcp any any -> any 80 (msg:"Local DROP Tcp port 80";
>> flow:from_client; sid:1;)
>>
>> -Coop
>>
>> On 8/22/2014 10:43 AM, First Root | Michael wrote:
>> > Hello Cooper,
>> >
>> > thanks for your response.
>> > it is not the case that i simply want to drop specific traffic, but this
>> > was the easiest way to show what my problem is ;).
>> >
>> > Is there any way to define how long the drop is valid as i asked in my
>> > last email?
>> >
>> > Regards
>> > Michael
>> >
>>
>> --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu <mailto:cnelson at ucsd.edu> x41042
>>
>>
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJT9446AAoJEKIFRYQsa8FWW5QIAMJYyEy2NVHFHEB7/OpBe77z
hHx//je03E7Cjg0t/k5h9e7HlC+U834kQ9aVwPFs/P8+JuJ6PlzFc+K5FsnHgsj3
ECdHN/ssfoW01tEwlW5azx1+Lwms/g8jjAIZV1WanjRRHlq5BKuuudrYsoF5ZrUN
O1ZvtG6QCNKxCVUlQM7SIxavYxdh0zxNAYVlTiLK2VQDJnwSGNhTT34mXOVfwiYb
/OSRvqY3AYDsiJCzN0aOTnKuaKFW3Fn8d9yQJ/Jbs59Awuow8IbjMsyoxu55vpy9
QD+VWz0AhvVyAgRtkozRgXL4gecjak1an3ys/ruYj0nf9B991jCjWR0R/XFlFC8=
=eceH
-----END PGP SIGNATURE-----