【suricata】Rule Thresholding

threshold
规则的写法如下:
threshold: type <threshold|limit|both>, track <by_src|by_dst>, count <N>, seconds <T>
threshold是为了避免产生过多的告警,有三种模式:
1)threshold
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type threshold, track by_dst, count 10 , seconds 60 ; sid:1852; rev:1;)
60S内每10次则记录一条日志,如果60S内产生少于10次则不记录。一旦记录了一条日志后,进入下一个60S周期。
2)limit
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type limit, track by_src, count 1 , seconds 60 ; sid:1852; rev:1;)
60S内最多产生1次告警。
3)both
是threshold和limit的结合。
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server, established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type both , track by_dst, count 10 , seconds 60 ; sid:1852; rev:1;)
60S内最多记录一条日志,前提是触发了10次规则。

detection_filter
detection_filter是一个新的规则选项,用于替换threshold,detect_filter关键字可用于在达到阈值后对每个匹配发出警报,与type threshold不同的是,如果阈值达到后type threshold会产生一条告警,然会重置计数器并进入下一个周期,如果达到阈值后会继续告警。
规则的写法如下:
detection_filter: track <by_src|by_dst>, count <N>, seconds <T>
drop tcp 10.1.2.100 any > 10.1.1.100 22 ( \ msg:”SSH Brute Force Attempt”; flow:established,to_server; \ content:”SSH”; nocase; offset:0; depth:4; \ detection_filter: track by_src, count 30, seconds 60; \ sid:1000001; rev:1;)
在60S的周期内,前30次触发不会产生告警,以后每次触发都会产生告警。