Project

General

Profile

Support #4393

Threshold default configuration

Added by Matteo Gruppi about 1 month ago. Updated 18 days ago.

Status:
New
Priority:
Normal
Affected Versions:
Label:

Description

Hi,
I've some trouble about the default configuration about suricata-update.
I don't find any reference in documentation.
To get a proper threshold configuration for suricata with suricata-update We've to do it via CLI:
suricata-update --threshold-in threshold-file-input --threshold-out threshold-file-output
And of course in suricata config (for example suricata.yaml) the reference about global threshold with:
threshold-file: threshold-file-output

But, there is a way like for disable, enable ecc with disable-conf, enable-conf, drop-conf ecc... to set threshold-file-input and threshold-file-output in the suricata-update config file (like the default one /etc/suricata/update.yaml)?

Many thanks
Veshialle

#1

Updated by Jason Ish about 1 month ago

I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.

#2

Updated by Matteo Gruppi 18 days ago

Jason Ish wrote in #note-1:

I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.

What I mean instead of using --threshold-in and --threshold-out arguments for suricata update if there is something automatic (like for disable-conf ecc...) inside the update.yaml file.

Of course this is the case for regex, in this particular case I'm trying to threshold all the stream-event.

Thank you

Also available in: Atom PDF