Feature #4393
openThreshold default configuration
Description
Hi,
I've some trouble about the default configuration about suricata-update.
I don't find any reference in documentation.
To get a proper threshold configuration for suricata with suricata-update We've to do it via CLI:
suricata-update --threshold-in threshold-file-input --threshold-out threshold-file-output
And of course in suricata config (for example suricata.yaml) the reference about global threshold with:
threshold-file: threshold-file-output
But, there is a way like for disable, enable ecc with disable-conf, enable-conf, drop-conf ecc... to set threshold-file-input and threshold-file-output in the suricata-update config file (like the default one /etc/suricata/update.yaml)?
Many thanks
Veshialle
Updated by Jason Ish about 3 years ago
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
Updated by Matteo Gruppi about 3 years ago
Jason Ish wrote in #note-1:
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
What I mean instead of using --threshold-in and --threshold-out arguments for suricata update if there is something automatic (like for disable-conf ecc...) inside the update.yaml file.
Of course this is the case for regex, in this particular case I'm trying to threshold all the stream-event.
Thank you
Updated by Jason Ish over 2 years ago
- Assignee changed from Shivani Bhardwaj to Jason Ish
Updated by Victor Julien about 2 years ago
- Tracker changed from Support to Feature
Seems the feature request is for threshold be handled at a default location?
Updated by Matteo Gruppi about 2 years ago
Victor Julien wrote in #note-4:
Seems the feature request is for threshold be handled at a default location?
Hi Victor, sorry but I don't remember the use case really well.
Reading previous messages I guess that: setting the threshold-in and threshold-out is needed to set them from the command line, could be more usefull to set them in the suricata.yaml.
Answering your question: the request is not to set a default file/location for these files but to be able to declare the files in suricata.yaml.
Thanks