Project

General

Profile

Actions

Feature #7120

closed

threshold: add backoff type

Added by Victor Julien 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Implement new `type backoff` for thresholding. This allows alerts to be limited. This is meant to control output of potentially extremely verbose rules like stream rules, decoder events, etc.

A count of 1 with a multiplier of 10 would generate alerts for matching packets: 1, 10, 100, 1000, 10000, 100000, etc.
A count of 1 with a multiplier of 2would generate alerts for matching packets: 1, 2, 4, 8, 16, 32, etc.

Like with other thresholds, rule actions like drop and setting of flowbits will still be performed for each matching packet.


Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #6822: threshold: support tracking by flowClosedVictor JulienActions
Actions

Also available in: Atom PDF