Suricata

I found a open source rule with 2 threshold keywords:

```
alert http1 $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; <...> threshold:type threshold,track by_src,count 1,seconds 60; threshold:type limit,track by_src,count 1,seconds 600; threshold:type threshold,track by_src,count 1,seconds 60; threshold:type threshold,track by_src,count 1,seconds 60; classtype:command-and-control; sid:2016867; rev:8; metadata:created_at 2013_05_21, signature_severity Major, updated_at 2024_04_07;)
```

I've sent feedback to the ET team, but I was surprised to find there was no warning from suricata:

```
$ /opt/suricata-7.0.3.profiling/src/suricata -vvv -c /opt/suricata-7.0.3.profiling/suricata.yaml -k none --set stream.midstream=true --set classification-file=/opt/suricata-7.0.3.profiling/etc/classification.config --set reference-config-file=/opt/suricata-7.0.3.profiling/etc/reference.config --set threshold-file=/opt/suricata-7.0.3.profiling/threshold.config -l . -r merged.pcap -S /home/user/rules/suricata.local.rules --engine-analysis
[847213] Notice: suricata: This is Suricata version 7.0.3 RELEASE running in USER mode
[847213] Info: cpu: CPUs/cores online: 20
[847213] Info: suricata: Setting engine mode to IDS mode by default
[847213] Info: exception-policy: master exception-policy set to: auto
[847213] Config: exception-policy: app-layer.error-policy: ignore (defined via 'exception-policy' master switch)
<...>
[847213] Config: detect: prefilter engines: MPM
[847213] Config: reputation: IP reputation disabled
[847213] Info: detect: Engine-Analysis for fast_pattern printed to file - ./rules_fast_pattern.txt
[847213] Info: detect: Engine-Analysis for rules printed to file - ./rules_analysis.txt
[847213] Config: detect: Loading rule file: /home/user/rules/suricata.local.rules
[847213] Info: detect: 1 rule files processed. 25 rules successfully loaded, 0 rules failed, 0
[847213] Info: threshold-config: Threshold config parsed: 0 rule(s) found
[847213] Info: detect: 25 signatures processed. 0 are IP-only rules, 23 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only
[847213] Config: detect: building signature grouping structure, stage 1: preprocessing rules... complete
[847213] Perf: detect: TCP toserver: 8 port groups, 4 unique SGH's, 4 copies
<...>
[847213] Perf: detect: AppLayer MPM "toserver file_data (smtp)": 2
[847213] Perf: profiling-rulegroups: Registered 8 rulegroup profiling counters.
[847213] Perf: profiling-keywords: Registered 281 keyword profiling counters.
[847213] Perf: profiling-prefilter: Registered 4 prefilter profiling counters.
[847213] Perf: profiling-rules: Registered 25 rule profiling counters.
[847213] Perf: host: host memory usage: 398144 bytes, maximum: 33554432
[847213] Perf: profiling-rules: Dumping profiling data for 25 rules.
[847213] Perf: profiling-rules: Done dumping profiling data.
[847213] Perf: profiling-keywords: Done dumping keyword profiling data.
[847213] Perf: profiling-rulegroups: Done dumping rulegroup profiling data.
[847213] Perf: profiling-prefilter: Done dumping prefilter profiling data.
```