Suricata

I propose a feature to the devs, which generates a basic stats file, where the total count of filtered (via threshold) suricata events are logged.

For example if this rule is enabled:

event_filter \
gen_id 1, sig_id 0, \
type limit, track by_src, \
count 1, seconds 86400

to limit the alerts to 1 per src_ip / event / per day,
it would be nice to have a log of the actual hits per src_ip / event.

An example output:

SID=1234, SRC_IP=x Total_Count=1200 (1199 not shown due to threshold)
SID=1234, SRC_IP=y Total_Count=2 (1 not shown due to threshold)
SID=4321, SRC_IP=y Total_Count=5 (4 not shown due to threshold)

This data can give big insides (regarding actual “attack”-counts),
since one does not know how much events are actual filtered by the threshold.

Any workaround such as setting the threshold manually to different values to get
a rough estimation is welcome as comment.

Thank you very much!