Thresholding Keywords
threshold
The threshold
keyword can be used to control the alert frequency of a rule. It has three modes: threshold
, limit
and both
.
Syntax:
threshold: type <threshold|limit|both>, track <by_src|by_dst>, count <N>, seconds <T>
threshold
This type can be used to set a minimum threshold for a rule before it
generates alerts. A threshold
setting of N means that an alert is generated when the rule matches for the Nth time.
Example:
alert tcp any any -> any any (msg: "threshold example"; \
classtype:misc-attack; content: "placeholder"; \
threshold: type threshold, track by_src, count 5, seconds 1; sid:1; rev:1;)
This signature only generates an alert if 5 or more packets contain
the placeholder
string within a one-second interval.
If a signature sets a flowbit, those actions are still performed on each match.
limit
This type can be used to make sure the system will not be flooded with
alerts. If limit
is set to N, a maximum of N alerts are generated.
Example:
alert http any any -> any any (msg:"thresholding limit example"; \
http.header; content:"Accept"; \
threshold: type limit, track by_src, count 15, seconds 1800; sid:2; rev:1;)
In a 30-minute period, this signature generates at most 15 alerts for HTTP
responses containing the string Accept
in their headers.
If a signature sets a flowbit, those actions are still performed on each match.
both
Using both
, threshold
and limit
can be combined to enforce both
thresholding and limiting.
Example:
alert http any any -> any any (msg:"thresholding limit example"; \
http.header; content:"Accept"; \
threshold: type both, track by_src, count 15, seconds 1800; sid:2; rev:1;)
This rule only generates an alert if there are 15 or more Accept
headers in
HTTP responses within 30 minutes. In this 30-minute period, only one alert will
be generated.
If a signature sets a flowbit, those actions are still performed on each match.
detection_filter
The detection_filter
keyword can be used to alert on every match after
a threshold has been reached. It differs from the threshold type as it generates
an alert for each rule match after the initial threshold has been reached.
Syntax:
detection_filter: track <by_src|by_dst>, count <N>, seconds <T>
Example:
alert tcp any any -> any any (msg: "detection filter example"; \
classtype:misc-attack; content: \"placeholder\"; \
threshold: type detection_filter, track by_src, count 100, seconds 10; sid:1; rev=1;)
This rule generates an alert every time 100 or more matches have occurred within 10 seconds.
If a signature sets a flowbit, those actions are still performed on each match.