Feature #8250: rules: distinct ip counting logic - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8250

open

rules: distinct ip counting logic

Added by Ofer Dagan 12 days ago. Updated 3 days ago.

Status:

In Review

Priority:

Normal

Assignee:

Ofer Dagan

Target version:

TBD

Effort:

low

Difficulty:

Label:

Description

In continuous to this ticket - https://redmine.openinfosecfoundation.org/issues/7928.

Implementing now unique_on options for src_ip and dst_ip.

Example for host scan rule:
alert tcp any any -> any any (msg:"Potential TCP SYN Scan Detected"; flags:S; threshold:type both, track by_src, count 50, seconds 60, unique_on dst_ip; classtype:network-scan; sid:1000001; rev:1;)

History
Notes
Property changes

Actions

Copy link

Updated by Ofer Dagan 11 days ago

https://github.com/OISF/suricata/pull/14707

Actions

Copy link

Updated by Philippe Antoine 3 days ago

Assignee set to Ofer Dagan

Actions

Copy link

Updated by Philippe Antoine 3 days ago

Status changed from In Progress to In Review

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8250

rules: distinct ip counting logic

Updated by Ofer Dagan 11 days ago

Updated by Philippe Antoine 3 days ago

Updated by Philippe Antoine 3 days ago