Support #4393
Threshold default configuration
Description
Hi,
I've some trouble about the default configuration about suricata-update.
I don't find any reference in documentation.
To get a proper threshold configuration for suricata with suricata-update We've to do it via CLI:
suricata-update --threshold-in threshold-file-input --threshold-out threshold-file-output
And of course in suricata config (for example suricata.yaml) the reference about global threshold with:
threshold-file: threshold-file-output
But, there is a way like for disable, enable ecc with disable-conf, enable-conf, drop-conf ecc... to set threshold-file-input and threshold-file-output in the suricata-update config file (like the default one /etc/suricata/update.yaml)?
Many thanks
Veshialle
Updated by Jason Ish about 1 month ago
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
Updated by Matteo Gruppi 18 days ago
Jason Ish wrote in #note-1:
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
What I mean instead of using --threshold-in and --threshold-out arguments for suricata update if there is something automatic (like for disable-conf ecc...) inside the update.yaml file.
Of course this is the case for regex, in this particular case I'm trying to threshold all the stream-event.
Thank you