I want to configure a limit of 5 packets per second and block the rest. I’m using the following rule, but it doesn’t work:
alert icmp any any → any any (msg:"ICMP "; threshold: type threshold, track by_src, count 5, seconds 1; sid:1000001; rev:1;)
If I use a rule just to detect the traffic, it works, like this:
#alert icmp any any → any any (msg:“ICMP packet detected”; sid:1000001; rev:1; classtype:icmp-event; priority:3;)
Could you tell me what I’m doing wrong?
Thanks!
If you want to block, you should use drop instead of alert right ?
Do you have a pcap to test this rule ?
Oh, I think I get it : this is because this rule is a ip-only rule so it gets interpreted only once for a flow
cc @jufajardini what do you think ?
Indeed, if the rule is ip_only it would inspect the IP addresses once per flow direction.
I’m not sure I understand what the goal is.
Is it to block traffic after 5 packets, or to block alerts? Or something else…
I understand the goal is to block traffic after 5 ICMP packets from one IP address
If that’s the goal, then I think you’re right. Would maybe using flowint rules work better? Setting the flowint with the first alert, then another for the counter, and one to compare and block?
(flowint operators will turn an ip_only rule into a packet rule - 8.53. Rule Types and Categorization — Suricata 8.0.0-dev documentation)
Thanks for responding. Use the following rules I found in the official documentation.
alert icmp any any → any any (msg:“ICMP flood”; flow:to_server; sid:777;)
/etc/suricata/threshold.config
rate_filter gen_id 1, sig_id 777, track by_src, count 5, seconds 1, new_action drop, timeout 10
suppress gen_id 1, sig_id 777
That rule meets my requirement, which is to block if the client sends more than 5 packets per second.
What I notice is that when performing a flood with hping3 --icmp --flood x.x.x.x, CPU usage reaches 100%. However, if I do it with iptables, CPU usage is much lower.
Is this behavior normal due to having to process each packet?
Thank you.