Feature #4393
open
Threshold default configuration
Added by Matteo Gruppi over 3 years ago.
Updated over 2 years ago.
Description
Hi,
I've some trouble about the default configuration about suricata-update.
I don't find any reference in documentation.
To get a proper threshold configuration for suricata with suricata-update We've to do it via CLI:
suricata-update --threshold-in threshold-file-input --threshold-out threshold-file-output
And of course in suricata config (for example suricata.yaml) the reference about global threshold with:
threshold-file: threshold-file-output
But, there is a way like for disable, enable ecc with disable-conf, enable-conf, drop-conf ecc... to set threshold-file-input and threshold-file-output in the suricata-update config file (like the default one /etc/suricata/update.yaml)?
Many thanks
Veshialle
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
Jason Ish wrote in #note-1:
I might need some more examples of what you are trying to do in order to help out. But the thresholding support is not used at all by default. Unless you have a need for the expansion of regular expressions it can do, I recomment not using suricata-update for your threshold.conf.
What I mean instead of using --threshold-in and --threshold-out arguments for suricata update if there is something automatic (like for disable-conf ecc...) inside the update.yaml file.
Of course this is the case for regex, in this particular case I'm trying to threshold all the stream-event.
Thank you
- Assignee changed from Shivani Bhardwaj to Jason Ish
- Tracker changed from Support to Feature
Seems the feature request is for threshold be handled at a default location?
Victor Julien wrote in #note-4:
Seems the feature request is for threshold be handled at a default location?
Hi Victor, sorry but I don't remember the use case really well.
Reading previous messages I guess that: setting the threshold-in and threshold-out is needed to set them from the command line, could be more usefull to set them in the suricata.yaml.
Answering your question: the request is not to set a default file/location for these files but to be able to declare the files in suricata.yaml.
Thanks
Also available in: Atom
PDF