[Oisf-users] Detection filters in global config

b smith x62smith at gmail.com
Mon Mar 11 13:47:34 UTC 2019


It looks like you can use threshold in the threshold.conf file or you can
also use rate_filter to change the action from alert to pass and that might
work as well.

threshold gen_id 1, sig_id 2002087, type both, track by_src, count 3,
seconds 5threshold gen_id 1, sig_id 2002087, type threshold, track
by_src, count 10, seconds 60threshold gen_id 1, sig_id 2002087, type
limit, track by_src, count 1, seconds 15


https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html#id3

On Mon, Mar 11, 2019 at 4:32 AM Davide Setti <d.setti at certego.net> wrote:

> Hi all,
>
> We were reading about "detection filter" (
> https://suricata.readthedocs.io/en/suricata-4.1.2/rules/thresholding.html#detection-filter)
> to reduce the noise of some signatures (mainly mirai related).
>
> We would like to avoid any in place changes to  these rules.
>
> Does "detection filter" works also in global threshold configuration?
>
> If yes, this should be better explained in the docs
> https://suricata.readthedocs.io/en/suricata-4.1.2/configuration/global-thresholds.html
> .
>
> Regards,
> Davide
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190311/adfe6164/attachment.html>


More information about the Oisf-users mailing list