[Oisf-users] Thresholds, Global Thresholds, and Types

Korodev korodev at gmail.com
Mon May 11 14:54:29 UTC 2020

The Suricata 4/5 docs seem to imply that if a signature has a
threshold (type threshold) defined, and a global threshold (type
limit) defined, then the latter overwrites the signature's threshold,
even though they are two different types. If so, how can we have a two
independent thresholds that control what's required to trip the
signature (type threshold) and a separate threshold (type limit) to
avoid getting flooded with alerts, but over two different time

For instance, the signature below requires 10 matches in a period of
60 seconds to fire, but what if we want to limit the number of alerts
by offending IP to 1 every hour (type limit, track by_src, count 1,
seconds 3600)?

alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound
Frequent Emails - Possible Spambot Inbound"; flow:established;
content:"mail from|3a|"; nocase; threshold: type threshold, track
by_src, count 10, seconds 60;
classtype:misc-activity; sid:2002087; rev:10; metadata:created_at
2010_07_30, updated_at 2010_07_30;)


More information about the Oisf-users mailing list