Is there a way to use thresholds when events occur on the same source ip and destination ip?
trac by_src and by_dst cannot be used because source IP and destination IP are required for response.
Do you hear about the roadmap to add by_both?
There is some by_both support in 5.0. It’s been extended for the upcoming 6.0:
https://suricata.readthedocs.io/en/latest/search.html?q=by_both&check_keywords=yes&area=default#
Hi.
Will you consider adding the by_src_port or by_dst_port feature?
It’ll be easy to detect port scans.