Project

General

Profile

Actions

Feature #3845

open

Threshold Hit Counter (for SID/IP)

Added by Daniel Weber over 4 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

I propose a feature to the devs, which generates a basic stats file, where the total count of filtered (via threshold) suricata events are logged.

For example if this rule is enabled:

event_filter \
gen_id 1, sig_id 0, \
type limit, track by_src, \
count 1, seconds 86400

to limit the alerts to 1 per src_ip / event / per day,
it would be nice to have a log of the actual hits per src_ip / event.

An example output:

SID=1234, SRC_IP=x Total_Count=1200 (1199 not shown due to threshold)
SID=1234, SRC_IP=y Total_Count=2 (1 not shown due to threshold)
SID=4321, SRC_IP=y Total_Count=5 (4 not shown due to threshold)

This data can give big insides (regarding actual “attack”-counts),
since one does not know how much events are actual filtered by the threshold.

Any workaround such as setting the threshold manually to different values to get
a rough estimation is welcome as comment.

Thank you very much!

Actions #1

Updated by Philippe Antoine 5 months ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions

Also available in: Atom PDF