[Oisf-users] Thresholds, Global Thresholds, and Types
Korodev
korodev at gmail.com
Mon May 11 14:54:29 UTC 2020
The Suricata 4/5 docs seem to imply that if a signature has a
threshold (type threshold) defined, and a global threshold (type
limit) defined, then the latter overwrites the signature's threshold,
even though they are two different types. If so, how can we have a two
independent thresholds that control what's required to trip the
signature (type threshold) and a separate threshold (type limit) to
avoid getting flooded with alerts, but over two different time
windows?
For instance, the signature below requires 10 matches in a period of
60 seconds to fire, but what if we want to limit the number of alerts
by offending IP to 1 every hour (type limit, track by_src, count 1,
seconds 3600)?
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound
Frequent Emails - Possible Spambot Inbound"; flow:established;
content:"mail from|3a|"; nocase; threshold: type threshold, track
by_src, count 10, seconds 60;
reference:url,doc.emergingthreats.net/2002087;
classtype:misc-activity; sid:2002087; rev:10; metadata:created_at
2010_07_30, updated_at 2010_07_30;)
\\korodev
More information about the Oisf-users
mailing list