Project

General

Profile

Actions

Support #3045

closed

How limiting the number of alerts in the fast.log

Added by Ivan Ivanov over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Could you please tell me how it is possible to set up Suricata, that only one alert on one pcap-file got into the fast.log, even if the rule worked on it several times. The goal is to apply this setting to all rules at the same time.

Actions #1

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Community Ticket
  • Target version set to Support
Actions #2

Updated by Ivan Ivanov over 5 years ago

Thanks for your answer.
If use global-thresholds (like - threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60), can it rewrite rule-thresholds? In my case, this would not be desirable behavior, because there are rules in ruleset with specific thresholds with a specially specified count value.
For example, will such a rule be spoiled by global-thresholds?
in some rule: threshold: type both, track by_src, count 10, seconds 60;
in global-thresholds: threshold gen_id 0, sig_id 0, type both, track by_src, count 1, seconds 60

Actions #3

Updated by Peter Manev over 5 years ago

Yes - when applied to a specific signature the global threshold will overwrite the rule threshold - https://suricata.readthedocs.io/en/latest/configuration/global-thresholds.html#id3

Actions #4

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Community Ticket)
Actions

Also available in: Atom PDF