aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
suricata/doc/userguide/rules/thresholding.rst

197 lines
6.6 KiB
ReStructuredText
Raw Permalink Blame History

.. role:: example-rule-emphasis
Thresholding Keywords
=====================
Thresholding can be configured per rule and also globally, see
:doc:`../configuration/global-thresholds`.
Thresholds are tracked in a hash table that is sized according to configuration, see:
:ref:`suricata-yaml-thresholds`.
**IMPORTANT** for both ``threshold`` and ``detection_filter`` keywords
.. note::
Rules that contain ``flowbits``, ``flowints``, etc will still have those actions performed when the rule
contains one of the ``threshold`` keywords. Those actions are not subject to the threshold limits.
Rule actions ``drop`` (IPS mode) and ``reject`` are applied to each packet
(not only the one that meets the limit condition).
threshold
---------
The ``threshold`` keyword can be used to control the rule's alert
frequency. There are four threshold modes:
#. threshold
#. limit
#. both
#. backoff
Syntax::
threshold: type <threshold|limit|both|backoff>, track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, <seconds <T>|multiplier <M>>
Specify ``seconds`` to control the number of alerts per time period.
type "threshold"
~~~~~~~~~~~~~~~~
This type sets a minimum threshold for a rule before it generates alerts.
A threshold setting with a ``count`` value of ``C`` will generate an alert
the ``Cth`` time the alert matches. If ``seconds`` is specified, an
alert is generated when ``count`` matches have occurred within ``N`` seconds.
Syntax::
threshold: type threshold, track by_flow, count <C>, seconds <N>;
Example:
.. container:: example-rule
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound";
flow:established; content:"mail from|3a|"; nocase;
:example-rule-emphasis:`threshold: type threshold, track by_src, count 10, seconds 60;`
reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)
This signature generates an alert if there are 10 or more inbound emails from the same server within
one minute.
type "limit"
~~~~~~~~~~~~
The ``limit`` type prevents a flood of alerts by limiting the number of alerts.
A limit with a count of ``N`` won't generate more than ``N`` alerts.
Limit the number of alerts per time period by specifying ``seconds`` with
``count.``
Syntax::
threshold: type limit, track by_dst, count <C>, seconds <N>;
Example:
.. container:: example-rule
alert http $HOME_NET any -> any any (msg:"ET INFO Internet Explorer 6 in use - Significant Security Risk";
flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|";
:example-rule-emphasis:`threshold: type limit, track by_src, seconds 180, count 1;`
classtype:policy-violation; sid:2010706; rev:10; metadata:created_at 2010_07_30, updated_at 2024_03_16;)
In this example, at most 1 alert is generated per host within a period
of 3 minutes if "MSIE 6.0" is detected.
type "both"
~~~~~~~~~~~
This type combines ``threshold`` and ``limit`` to control when alerts
are generated.
Syntax::
threshold: type both, track by_flow, count <C>, multiplier <M>;
Example:
.. container:: example-rule
alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP";
flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24;
:example-rule-emphasis:`threshold: type both, track by_src, count 5, seconds 360;`
reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6;)
This rule will generate at most one alert every 6 minutes if there have been 5 or more occurrences
of "SIP2.0 401 Unauthorized" responses.
The ``type backoff`` section describes the ``multiplier`` keyword.
type "backoff"
~~~~~~~~~~~~~~
This type limits the alert output by using a backoff algorithm between alerts.
.. note::
``backoff`` can only be used with ``track by_flow``
Syntax::
threshold: type backoff, track by_flow, count <C>, multiplier <M>;
``track``: backoff is only supported for ``by_flow``
``count``: number of alerts before the first match generates an alert.
``multiplier``: value to multiply ``count`` with each time the next value is reached
A count of 1 with a multiplier of 10 would generate alerts for matching packets::
1, 10, 100, 1000, 10000, 100000, etc.
A count of 1 with a multiplier of 2 would generate alerts for matching packets::
1, 2, 4, 8, 16, 32, 64, etc.
A count of 5 with multiplier 5 would generate alerts for matching packets::
5, 25, 125, 625, 3125, 15625, etc
In the following example, the ``pkt_invalid_ack`` would only lead to alerts the 1st, 10th, 100th, etc.
.. container:: example-rule
alert tcp any any -> any any (stream-event:pkt_invalid_ack;
:example-rule-emphasis:`threshold:type backoff, track by_flow, count 1, multiplier 10;`
sid:2210045; rev:2;)
track
~~~~~
.. table::
+------------------+--------------------------+
|Option |Tracks By |
+==================+==========================+
|by_src |source IP |
+------------------+--------------------------+
|by_dst |destination IP |
+------------------+--------------------------+
|by_both |pair of src IP and dst IP |
+------------------+--------------------------+
|by_rule |signature id |
+------------------+--------------------------+
|by_flow |flow |
+------------------+--------------------------+
detection_filter
----------------
The ``detection_filter`` keyword can be used to alert on every match after
an initial threshold has been reached. It differs from ``threshold`` with type
``threshold`` in that it generates an alert for each rule match after the
initial threshold has been reached, where the latter will reset its
internal counter and alert each time the threshold has been reached.
Syntax::
detection_filter: track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>
Example:
.. container:: example-rule
alert http $EXTERNAL_NET any -> $HOME_NET any
(msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit";
flow:established,to_server; content:"GET"; http_method; content:"WebResource.axd"; http_uri; nocase;
content:!"&t="; http_uri; nocase; content:!"&amp|3b|t="; http_uri; nocase;
:example-rule-emphasis:`detection_filter:track by_src,count 15,seconds 2;`
reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx;
classtype:web-application-attack; sid:2011807; rev:5;)
This rule will generate alerts after 15 or more matches have occurred within 2 seconds.
Reference in New Issue View Git Blame Copy Permalink