[Oisf-users] Global Thresholding

Josh Guild josh.guild at morphick.com
Fri Oct 21 17:32:29 UTC 2016


Hi all!

I think the answer to this is "no" but I wanted to reach out before I
closed the loop.

Is there a way to globally threshold all rules in Suricata via the
threshold.config?
For example, I don't want a rule to fire more than 1 time in an hour for
the same IP (e.g. threshold gen_id 1, sig_id ALL OF THEM, type limit, track
by_src, count 1, seconds 3600).
It appears this available in Snort but not Suricata.

Please let me know if I have the right info or have been grossly
misinformed by my Google searches. Thanks!

-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161021/d86d2da3/attachment.html>


More information about the Oisf-users mailing list