[Oisf-users] Thresholds, Global Thresholds, and Types

Korodev korodev at gmail.com
Thu May 21 16:51:00 UTC 2020

Is this still the appropriate place to post these questions? Still
looking into this issue and trying to better understand how threshold
windows can work together -- if it all.


On Mon, May 11, 2020 at 9:54 AM Korodev <korodev at gmail.com> wrote:
> The Suricata 4/5 docs seem to imply that if a signature has a
> threshold (type threshold) defined, and a global threshold (type
> limit) defined, then the latter overwrites the signature's threshold,
> even though they are two different types. If so, how can we have a two
> independent thresholds that control what's required to trip the
> signature (type threshold) and a separate threshold (type limit) to
> avoid getting flooded with alerts, but over two different time
> windows?
> For instance, the signature below requires 10 matches in a period of
> 60 seconds to fire, but what if we want to limit the number of alerts
> by offending IP to 1 every hour (type limit, track by_src, count 1,
> seconds 3600)?
> alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound
> Frequent Emails - Possible Spambot Inbound"; flow:established;
> content:"mail from|3a|"; nocase; threshold: type threshold, track
> by_src, count 10, seconds 60;
> reference:url,doc.emergingthreats.net/2002087;
> classtype:misc-activity; sid:2002087; rev:10; metadata:created_at
> 2010_07_30, updated_at 2010_07_30;)
> \\korodev

More information about the Oisf-users mailing list