Hai guys, I setup a suricata simple rule (for testing) like follow:
alert tcp any any → any 23 (msg:“TELNET connection attempt”; sid:1000003; rev:10;)
Now, if I connect my server via telnet. eg:
telnet 1.2.3.4
The rule is working perfectly, I can see fast.log is generated from the IP about the TELNET connection attempt
But now I want to understand how long this rule will trigger again after the last one. I tried to run telnet 1.2.3.4 few seconds after that it will not generate that rule in fast.log but maybe after 1 minute or so. I searched about this and I think maybe this is related (or maybe I’m wrong) 10.2. Global-Thresholds — Suricata 6.0.0 documentation
Is there a way to make this rule generated in realtime when I use telnet 1.2.3.4 ?