Project

General

Profile

Actions
Copy link

Feature #7120

closed

threshold: add backoff type

Added by Victor Julien 3 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Implement new `type backoff` for thresholding. This allows alerts to be limited. This is meant to control output of potentially extremely verbose rules like stream rules, decoder events, etc.

A count of 1 with a multiplier of 10 would generate alerts for matching packets: 1, 10, 100, 1000, 10000, 100000, etc.
A count of 1 with a multiplier of 2would generate alerts for matching packets: 1, 2, 4, 8, 16, 32, etc.

Like with other thresholds, rule actions like drop and setting of flowbits will still be performed for each matching packet.

Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #6822: threshold: support tracking by flowClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 3 months ago

  • Blocked by Feature #6822: threshold: support tracking by flow added
Actions
Copy link
 #2

Updated by Victor Julien 3 months ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #3

Updated by Victor Julien 2 months ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF