Thresholding Keywords ===================== Thresholding can be configured per rule and also globally, see :doc:`../configuration/global-thresholds`. Thresholds are tracked in a hash table that is sized according to configuration, see: :ref:`suricata-yaml-thresholds`. *Note: mixing rule and global thresholds is not supported in 1.3 and before. See bug #425.* For the state of the support in 1.4 see :ref:`global-thresholds-vs-rule-thresholds` threshold --------- The threshold keyword can be used to control the rule's alert frequency. It has 3 modes: threshold, limit and both. Syntax:: threshold: type , track , count , |multiplier > type "threshold" ~~~~~~~~~~~~~~~~ This type can be used to set a minimum threshold for a rule before it generates alerts. A threshold setting of N means on the Nth time the rule matches an alert is generated. Example:: alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; \ flow:established; content:"mail from|3a|"; nocase; \ threshold: type threshold, track by_src, count 10, seconds 60; \ reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;) This signature only generates an alert if we get 10 inbound emails or more from the same server in a time period of one minute. If a signature sets a flowbit, flowint, etc. those actions are still performed for each of the matches. *Rule actions drop (IPS mode) and reject are applied to each packet (not only the one that meets the threshold condition).* type "limit" ~~~~~~~~~~~~ This type can be used to make sure you're not getting flooded with alerts. If set to limit N, it alerts at most N times. Example:: alert http $HOME_NET any -> any $HTTP_PORTS (msg:"ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk"; \ flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; \ threshold: type limit, track by_src, seconds 180, count 1; \ reference:url,doc.emergingthreats.net/2010706; classtype:policy-violation; sid:2010706; rev:7;) In this example at most 1 alert is generated per host within a period of 3 minutes if MSIE 6.0 is detected. If a signature sets a flowbit, flowint, etc. those actions are still performed for each of the matches. *Rule actions drop (IPS mode) and reject are applied to each packet (not only the one that meets the limit condition).* type "both" ~~~~~~~~~~~ This type is a combination of the "threshold" and "limit" types. It applies both thresholding and limiting. Example:: alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; \ flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; \ threshold: type both, track by_src, count 5, seconds 360; \ reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6;) This alert will only generate an alert if within 6 minutes there have been 5 or more "SIP/2.0 401 Unauthorized" responses, and it will alert only once in that 6 minutes. If a signature sets a flowbit, flowint, etc. those actions are still performed for each of the matches. *Rule actions drop (IPS mode) and reject are applied to each packet.* type "backoff" ~~~~~~~~~~~~~~ Allow limiting of alert output by using a backoff algorithm. Syntax:: threshold: type backoff, track by_flow, count , multiplier ; ``track``: backoff is only supported for ``by_flow`` ``count``: number of alerts before the first match is logged ``multiplier``: value to multiply ``count`` with each time the next value is reached A count of 1 with a multiplier of 10 would generate alerts for matching packets:: 1, 10, 100, 1000, 10000, 100000, etc. A count of 1 with a multiplier of 2 would generate alerts for matching packets:: 1, 2, 4, 8, 16, 32, 64, etc. A count of 5 with multiplier 5 would generate alerts for matching packets:: 5, 25, 125, 625, 3125, 15625, etc In the following example, the ``pkt_invalid_ack`` would only lead to alerts the 1st, 10th, 100th, etc. .. container:: example-rule alert tcp any any -> any any (stream-event:pkt_invalid_ack; \ :example-rule-options:`threshold:type backoff, track by_flow, count 1, multiplier 10;` sid:2210045; rev:2;) If a signature sets a flowbit, flowint, etc. those actions are still performed for each of the matches. *Rule actions drop (IPS mode) and reject are applied to each matching packet.* track ~~~~~ .. table:: +------------------+--------------------------+ |Option |Tracks By | +==================+==========================+ |by_src |source IP | +------------------+--------------------------+ |by_dst |destination IP | +------------------+--------------------------+ |by_both |pair of src IP and dst IP | +------------------+--------------------------+ |by_rule |signature id | +------------------+--------------------------+ |by_flow |flow | +------------------+--------------------------+ detection_filter ---------------- The detection_filter keyword can be used to alert on every match after a threshold has been reached. It differs from the threshold with type threshold in that it generates an alert for each rule match after the initial threshold has been reached, where the latter will reset it's internal counter and alert again when the threshold has been reached again. Syntax:: detection_filter: track , count , seconds Example:: alert http $EXTERNAL_NET any -> $HOME_NET any \ (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; \ flow:established,to_server; content:"GET"; http_method; content:"WebResource.axd"; http_uri; nocase; \ content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; \ detection_filter:track by_src,count 15,seconds 2; \ reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; \ classtype:web-application-attack; sid:2011807; rev:5;) Alerts each time after 15 or more matches have occurred within 2 seconds. If a signature sets a flowbit, flowint, etc. those actions are still performed for each of the matches. *Rule actions drop (IPS mode) and reject are applied to each packet that generate an alert*