Thresholds can be configured in the rules themselves, see Thresholding Keywords. They are often set by rule writers based on their intelligence for creating a rule combined with a judgement on how often a rule will alert.
10.2.1. Threshold Config¶
Next to rule thresholding more thresholding can be configured on the sensor using the threshold.config.
threshold gen_id <gid>, sig_id <sid>, type <threshold|limit|both>, \ track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
Rate filters allow changing of a rule action when a rule matches.
rate_filter: rate_filter gen_id <gid>, sig_id <sid>, track <tracker>, \ count <c>, seconds <s>, new_action <action>, timeout <timeout>
rate_filter gen_id 1, sig_id 1000, track by_rule, count 100, seconds 60, \ new_action alert, timeout 30
Generator id. Normally 1, but if a rule uses the
gid keyword to set
another value it has to be matched in the
Rule/signature id as set by the rule
Where to track the rule matches. When using by_src/by_dst the tracking is done per IP-address. The Host table is used for storage. When using by_rule it’s done globally for the rule. Option by_both used to track per IP pair of source and destination. Packets going to opposite directions between same addresses tracked as the same pair.
Number of rule hits before the
rate_filter is activated.
Time period within which the
count needs to be reached to activate
New action that is applied to matching traffic when the
is in place.
Note: ‘sdrop’ and ‘log’ are supported by the parser but not implemented otherwise.
Time in seconds during which the
rate_filter will remain active.
Let’s say we want to limit incoming connections to our SSH server. The rule
888 below simply alerts on SYN packets to the SSH port of our SSH server.
If an IP-address triggers this more than 10 or more with a minute, the
rate_filter is set with a timeout of 5 minutes.
alert tcp any any -> $MY_SSH_SERVER 22 (msg:"Connection to SSH server"; \ flow:to_server; flags:S,12; sid:888;)
rate_filter gen_id 1, sig_id 888, track by_src, count 10, seconds 60, \ new_action drop, timeout 300
Suppressions can be used to suppress alerts for a rule or a host/network. Actions performed when a rule matches, such as setting a flowbit, are still performed.
suppress gen_id <gid>, sig_id <sid> suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst|by_either>, ip <ip|subnet|addressvar>
suppress gen_id 1, sig_id 2002087, track by_src, ip 184.108.40.206
This will make sure the signature 2002087 will never match for src host 220.127.116.11.
suppress gen_id 1, sig_id 2003614, track by_src, ip 18.104.22.168/25 suppress gen_id 1, sig_id 2003614, track by_src, ip [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] suppress gen_id 1, sig_id 2003614, track by_src, ip $HOME_NET suppress gen_id 1, sig_id 2003614, track by_either, ip 22.214.171.124/25
In the last example above, the
by_either tracking means that if either
source ip or
destination ip matches
rule with sid 2003614 is suppressed.
10.2.2. Global thresholds vs rule thresholds¶
Note: this section applies to 1.4+ In 1.3 and before mixing rule and global thresholds is not supported.
When a rule has a threshold/detection_filter set a rule can still be affected by the global threshold file.
The rule below will only fire if 10 or more emails are being delivered/sent from a host within 60 seconds.
alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; \ flow:established; content:"mail from|3a|"; nocase; \ threshold: type threshold, track by_src, count 10, seconds 60; \ reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)
Next, we’ll see how global settings affect this rule.
Suppressions can be combined with rules with thresholds/detection_filters with no exceptions.
suppress gen_id 1, sig_id 2002087, track by_src, ip 126.96.36.199 suppress gen_id 0, sig_id 0, track by_src, ip 188.8.131.52 suppress gen_id 1, sig_id 0, track by_src, ip 184.108.40.206
Each of the rules above will make sure 2002087 doesn’t alert when the source of the emails is 220.127.116.11. It will alert for all other hosts.
suppress gen_id 1, sig_id 2002087
This suppression will simply convert the rule to “noalert”, meaning it will never alert in any case. If the rule sets a flowbit, that will still happen.
When applied to a specific signature, thresholds and event_filters (threshold from now on) will override the signature setting. This can be useful for when the default in a signature doesn’t suit your environment.
threshold gen_id 1, sig_id 2002087, type both, track by_src, count 3, seconds 5 threshold gen_id 1, sig_id 2002087, type threshold, track by_src, count 10, seconds 60 threshold gen_id 1, sig_id 2002087, type limit, track by_src, count 1, seconds 15
Each of these will replace the threshold setting for 2002087 by the new threshold setting.
Note: overriding all gids or sids (by using gen_id 0 or sig_id 0) is not supported. Bug https://redmine.openinfosecfoundation.org/issues/425.