How limiting the number of alerts in the fast.log
Could you please tell me how it is possible to set up Suricata, that only one alert on one pcap-file got into the fast.log, even if the rule worked on it several times. The goal is to apply this setting to all rules at the same time.
Updated by Andreas Herz 3 months ago
- Status changed from New to Assigned
- Assignee set to Community Ticket
- Target version set to Support
Updated by Ivan Ivanov 3 months ago
Thanks for your answer.
If use global-thresholds (like - threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60), can it rewrite rule-thresholds? In my case, this would not be desirable behavior, because there are rules in ruleset with specific thresholds with a specially specified count value.
For example, will such a rule be spoiled by global-thresholds?
in some rule: threshold: type both, track by_src, count 10, seconds 60;
in global-thresholds: threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60
Updated by Peter Manev 3 months ago
Yes - when applied to a specific signature the global threshold will overwrite the rule threshold - https://suricata.readthedocs.io/en/latest/configuration/global-thresholds.html#id3