Project

General

Profile

Support #3045

How limiting the number of alerts in the fast.log

Added by Ivan Ivanov 3 months ago. Updated 3 months ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Could you please tell me how it is possible to set up Suricata, that only one alert on one pcap-file got into the fast.log, even if the rule worked on it several times. The goal is to apply this setting to all rules at the same time.

History

#1

Updated by Andreas Herz 3 months ago

  • Status changed from New to Assigned
  • Assignee set to Community Ticket
  • Target version set to Support
#2

Updated by Ivan Ivanov 3 months ago

Thanks for your answer.
If use global-thresholds (like - threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60), can it rewrite rule-thresholds? In my case, this would not be desirable behavior, because there are rules in ruleset with specific thresholds with a specially specified count value.
For example, will such a rule be spoiled by global-thresholds?
in some rule: threshold: type both, track by_src, count 10, seconds 60;
in global-thresholds: threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60

#3

Updated by Peter Manev 3 months ago

Yes - when applied to a specific signature the global threshold will overwrite the rule threshold - https://suricata.readthedocs.io/en/latest/configuration/global-thresholds.html#id3

Also available in: Atom PDF