Suricata

To determine a good default lets start with seeing what the max per sig is in the rulesets in our index.

https://github.com/OISF/suricata/pull/15442

ref: https://github.com/OISF/suricata/pull/15444#issuecomment-4543489714

Maximum number of times flowbits keyword used in a signature in the "open" rulesets that we ship with our index is 6. The rule is: https://rules.evebox.org/rule/et/open/2062740

Perhaps, 8 is a good default then? Thoughts?

Rulesets probed:

    abuse.ch/feodotracker
    abuse.ch/urlhaus
    stamus/lateral
    julioliraup/antiphishing
    pawpatrules
    aleksibovellan/nmap
    abuse.ch/sslbl-ja3
    abuse.ch/sslbl-blacklist
    et/open
    oisf/trafficid
    etnetera/aggressive
    ptrules/open
    tgreen/hunting

In the ET OPEN/PRO Rulesets the max is 6 flowbit keywords in a single signature. Anything less than 4 would require us to review rule logic for a decent number of signatures to maintain compatibility with the default config. Unless there is a performance reason to have a lower limit I think 8 is a good suggestion.

Summary of flowbit counts:
----------------------------------------
Number of signatures with 1 flowbits: 4369
Number of signatures with 2 flowbits: 1305
Number of signatures with 3 flowbits: 131
Number of signatures with 4 flowbits: 33
Number of signatures with 5 flowbits: 6
Number of signatures with 6 flowbits: 1
Number of signatures with 7 flowbits: 0
Number of signatures with 8+ flowbits: 0

Isaac Shaughnessy wrote in #note-6:

In the ET OPEN/PRO Rulesets the max is 6 flowbit keywords in a single signature. Anything less than 4 would require us to review rule logic for a decent number of signatures to maintain compatibility with the default config. Unless there is a performance reason to have a lower limit I think 8 is a good suggestion.

[...]

thank you very much for the analysis, Isaac! Moving forward with a default of 8.