[Oisf-users] Global Thresholding

Duane Howard duane.security at gmail.com
Fri Oct 21 20:03:07 UTC 2016


to the list this time:
Use sig_id 0 which should limit be 'all of them'.
https://github.com/inliniac/suricata/blob/master/threshold.config#L23


On Fri, Oct 21, 2016 at 10:32 AM, Josh Guild <josh.guild at morphick.com>
wrote:

> Hi all!
>
> I think the answer to this is "no" but I wanted to reach out before I
> closed the loop.
>
> Is there a way to globally threshold all rules in Suricata via the
> threshold.config?
> For example, I don't want a rule to fire more than 1 time in an hour for
> the same IP (e.g. threshold gen_id 1, sig_id ALL OF THEM, type limit, track
> by_src, count 1, seconds 3600).
> It appears this available in Snort but not Suricata.
>
> Please let me know if I have the right info or have been grossly
> misinformed by my Google searches. Thanks!
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161021/3caac187/attachment-0002.html>


More information about the Oisf-users mailing list