Thresholding Keywords

threshold

The threshold keyword can be used to control the alert frequency of a rule. It has three modes: threshold, limit and both.

Syntax:

threshold: type <threshold|limit|both>, track <by_src|by_dst>, count <N>, seconds <T>

threshold

This type can be used to set a minimum threshold for a rule before it generates alerts. A threshold setting of N means that an alert is generated when the rule matches for the Nth time.

Example:

alert tcp any any -> any any (msg: "threshold example"; \
classtype:misc-attack; content: "placeholder"; \
threshold: type threshold, track by_src, count 5, seconds 1; sid:1; rev:1;)

This signature only generates an alert if 5 or more packets contain the placeholder string within a one-second interval.

If a signature sets a flowbit, those actions are still performed on each match.

limit

This type can be used to make sure the system will not be flooded with alerts. If limit is set to N, a maximum of N alerts are generated.

Example:

alert http any any -> any any (msg:"thresholding limit example"; \
http.header; content:"Accept"; \
threshold: type limit, track by_src, count 15, seconds 1800; sid:2; rev:1;)

In a 30-minute period, this signature generates at most 15 alerts for HTTP responses containing the string Accept in their headers.

If a signature sets a flowbit, those actions are still performed on each match.

both

Using both, threshold and limit can be combined to enforce both thresholding and limiting.

Example:

alert http any any -> any any (msg:"thresholding limit example"; \
http.header; content:"Accept"; \
threshold: type both, track by_src, count 15, seconds 1800; sid:2; rev:1;)

This rule only generates an alert if there are 15 or more Accept headers in HTTP responses within 30 minutes. In this 30-minute period, only one alert will be generated.

If a signature sets a flowbit, those actions are still performed on each match.

detection_filter

The detection_filter keyword can be used to alert on every match after a threshold has been reached. It differs from the threshold type as it generates an alert for each rule match after the initial threshold has been reached.

Syntax:

detection_filter: track <by_src|by_dst>, count <N>, seconds <T>

Example:

alert tcp any any -> any any (msg: "detection filter example"; \
classtype:misc-attack; content: \"placeholder\"; \
threshold: type detection_filter, track by_src, count 100, seconds 10; sid:1; rev=1;)

This rule generates an alert every time 100 or more matches have occurred within 10 seconds.

If a signature sets a flowbit, those actions are still performed on each match.