I noticed the EVE log files can contain allot of alerts there are very similar - albeit maybe different flowids. Is there a way to configure Suricata to not show so many alerts that are basically duplications (within some time period)?
Thank you
Hi Rob,
perhaps you wish to explore the “Threshold” feature in Suricata. With that, you can e.g. limit how many alerts can be generated in the given time frame.
See:
Global thresholds
Per-rule thresholds
Lukas