Question about thresholds

killmasta93

HI
I was wondering if its possible on suricata create thresholds, such if any event, appears in the eve.json more than 10 times in 10 seconds send to the alert?
the rest to log and not send it to the alert
Thanks?
I was thinking something like this?

threshold gen_id 1, sig_id 0, type both, track by_src, count 10, seconds 10, priority 1

bmeeks

Yes, you can create global threshold values using the SUPPRESS LIST tab in the package GUI. You would create a Suppress List (if you do not already have one created) and add the threshold values you desire. You can find out about the syntax using the official upstream Suricata docs here: https://docs.suricata.io/en/latest/configuration/global-thresholds.html.

Once you have a Suppress List created, go to the INTERFACES EDIT tab in Suricata and assign the list to the interface using the drop-down selector under the Suppression section. Restart Suricata on the interface so that the running binary sees and starts using the newly assigned list.

killmasta93

@bmeeks Thank you so much for the reply,
So i added in the following

restarted suricata also restarted pfSense but for some reason i still keep seeing lots of alerts,
From from i understand saying any SIG from both in and out ignore if the count shows 10 or less in 10 seconds?

bmeeks

@killmasta93 said in Question about thresholds:

for some reason i still keep seeing lots of alerts,
From from i understand saying any SIG from both in and out ignore if the count shows 10 or less in 10 seconds?

Your Threshold statement is not matching on the SID. I am pretty sure that sig_id 0 is not valid as a wildcard (at least there was at one time an outstanding bug report on that). You will need to specify a specific SID (signature ID) that you want to "threshold". If you want to threshold multiple SIDs, then you will need one line per SID in the file.

However, you seem to be suppressing some of the built-in Suricata informational rules. Those Stream rules are only for informational purposes. They can (and probably should) be disabled altogether. The alerts they generate are a nuisance.

killmasta93

@bmeeks thank you so much, yeah it seems that wildcard doesn't work, going to then do it one by one

killmasta93

hi @bmeeks quick question so i added the following

threshold gen_id 1, sig_id 2009244, type both, track by_src, count 10, seconds 10, priority 1
threshold gen_id 1, sig_id 2009245, type both, track by_src, count 10, seconds 10, priority 1
threshold gen_id 1, sig_id 2009246, type both, track by_src, count 10, seconds 10, priority 1

would the variable

type both

work for both ends?

Thanks

bmeeks

@killmasta93 said in Question about thresholds:

hi @bmeeks quick question so i added the following

threshold gen_id 1, sig_id 2009244, type both, track by_src, count 10, seconds 10, priority 1
threshold gen_id 1, sig_id 2009245, type both, track by_src, count 10, seconds 10, priority 1
threshold gen_id 1, sig_id 2009246, type both, track by_src, count 10, seconds 10, priority 1

would the variable

type both

work for both ends?

Thanks

Here is a link to the official Suricata docs describing the type: keyword: https://docs.suricata.io/en/latest/rules/thresholding.html#type-both. both specifies both a rate limit and threshold value.