I am running suricata on Ubuntu 22.04.
I now want to have 1 alert in fast.log or eve.log for every ICMP request I drop/alert on.
I only get one alert for everytime I start suricata. Is there some type of global threshold or limit?
I want this because I want to process the logs and display them graphically to generate charts where I can visually check the development of different types of alerts/drops/packets.
Is there a way to alert once for every packet that matches? When I close suricata, I see the total amount of packets that matched the rule as drop rate in percent.
How does the signature look like that triggers just one alert for you?
Please provide more details like Suricata version, runcommand, suricata.yaml.
Suricata Version: 7.0.4
Rules:
alert icmp any any → 8.8.4.4 any (msg:“ICMP4 DROP”; sid:888888; )
drop icmp 8.8.4.4 any → any any (msg:“ICMP4 DROP IN”; sid: 777777;)
The rest of the suricata configuration is pretty much standard, except for the enabled ips mode with afpacket. Is there any default threshold set? My threshold.conf is completely commented out.
Turns out it is because of the categorization as ip only packet.
Found in: How to create ICMP alerts per packet - #2 by vjulien