Suricata

When processing the attached pcap suricata generates 57789 events where snort only generates 2 one for each src of the traffic 192.168.1.44 and 192.168.1.48 contained in the pcap . It appears as if this happens because suricata does not honor thresholds for icmp traffic.

*****************************************************************************************************************************************
oisf alerted more times than snort sid: 2003292 oisf:57789 snort:2
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003292; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Allaple; sid:2003292; rev:7;)

---