Feature #3845
openThreshold Hit Counter (for SID/IP)
Description
I propose a feature to the devs, which generates a basic stats file, where the total count of filtered (via threshold) suricata events are logged.
For example if this rule is enabled:
event_filter \
gen_id 1, sig_id 0, \
type limit, track by_src, \
count 1, seconds 86400
to limit the alerts to 1 per src_ip / event / per day,
it would be nice to have a log of the actual hits per src_ip / event.
An example output:
SID=1234, SRC_IP=x Total_Count=1200 (1199 not shown due to threshold)
SID=1234, SRC_IP=y Total_Count=2 (1 not shown due to threshold)
SID=4321, SRC_IP=y Total_Count=5 (4 not shown due to threshold)
This data can give big insides (regarding actual “attack”-counts),
since one does not know how much events are actual filtered by the threshold.
Any workaround such as setting the threshold manually to different values to get
a rough estimation is welcome as comment.
Thank you very much!
Updated by Philippe Antoine 6 months ago
- Assignee set to Community Ticket
- Target version set to TBD