Feature #8250: rules: distinct ip counting logic - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8250

open

rules: distinct ip counting logic

Added by Ofer Dagan about 1 month ago. Updated 18 days ago.

Status:

In Review

Priority:

Normal

Assignee:

Ofer Dagan

Target version:

9.0.0-beta1

Effort:

low

Difficulty:

Label:

Description

In continuous to this ticket - https://redmine.openinfosecfoundation.org/issues/7928.

Implementing now unique_on options for src_ip and dst_ip.

Example for host scan rule:
alert tcp any any -> any any (msg:"Potential TCP SYN Scan Detected"; flags:S; threshold:type both, track by_src, count 50, seconds 60, unique_on dst_ip; classtype:network-scan; sid:1000001; rev:1;)

Actions

Copy link

Updated by Ofer Dagan about 1 month ago

https://github.com/OISF/suricata/pull/14707

Actions

Copy link

Updated by Philippe Antoine 24 days ago

Assignee set to Ofer Dagan

Actions

Copy link

Updated by Philippe Antoine 24 days ago

Status changed from In Progress to In Review

Actions

Copy link

Updated by Juliana Fajardini Reichow 18 days ago

Target version changed from TBD to 9.0.0-beta1

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8250

rules: distinct ip counting logic

Updated by Ofer Dagan about 1 month ago

Updated by Philippe Antoine 24 days ago

Updated by Philippe Antoine 24 days ago

Updated by Juliana Fajardini Reichow 18 days ago