Question on global thresholding

farzadha2 · July 28, 2024, 3:54am

Please include the following information with your help request:

Suricata version 7.0.6

Operating system and/or Linux distribution ubuntu 20.04

How you installed Suricata (from source, packages, something else)
from source,
Hi
Currently trying to configure global thresholding,
meaning to only alert if 40 counts in 20 seconds
which i tried in the thresholding config

threshold gen_id 0, sig_id any, type both, track by_both, count 40, seconds 20

i also tried in the yaml config of suricata

threshold:
  - gen-id: 0
    sig-id: any
    type: limit
    track: by_both
    count: 40
    seconds: 20

Not sure what else to try,
I was read there is a bug which is not sure that might be applied in the global section?

https://docs.suricata.io/en/latest/configuration/global-thresholds.html#id2

Thank you

Jeff_Lucovsky · July 29, 2024, 11:56am

Hi, and welcome to our community!

Thanks for your post – can you describe what you’re observing with the threshold configurations in place?

farzadha2 · July 29, 2024, 2:50pm

Thanks for the reply, well currently what im observing is that its ignoring the rule, lets say [Suricata: Alert - ET USER_AGENTS Go HTTP Client User-Agent] appears around 3 times and i get alerted, when it should only get alerted if appears 40 times in 20 seconds

satta · July 30, 2024, 7:41am

If the intended behaviour is that you want alerts only if the amount of hits exceeds 40 per 20 seconds, you might want the threshold type keyword, not limit. Using limit causes you to never get more than 40 alerts per 20 second window.

See 8.41. Thresholding Keywords — Suricata 8.0.0-dev documentation for more information.

farzadha2 · August 1, 2024, 3:15am

Thank you so much for the reply,
i assume that would be in the suricata.yml? file

this is the config at the moment i added threshold under hosts
not sure if i did it correctly

i also tried adding on the threshold config

threshold gen_id 0, sig_id 0, type threshold, track by_both, count 40, seconds 20

but when i restart i get this warning as it shows all the SID warning


Warning: threshold-config: signature sid:2403371 has an event var set.  The signature event var is given precedence over the threshold.conf one.  We'll change this in the future though.

Thank you

satta · August 2, 2024, 9:46am

Hmm? Global thresholds go into threshold.config not suricata.yml. See 12.2. Global-Thresholds — Suricata 8.0.0-dev documentation.

I think the warning can be ignored.

farzadha2 · August 3, 2024, 1:28am

Thank you so much for the reply, the thing is that i add it on the threshold.config but it seems that it ignore it not sure why

farzadha2 · August 12, 2024, 7:13pm

hi @satta i was rechecking the issue but seems that the global thresholds are being ignored

satta · August 14, 2024, 8:53am

Please share your current active configuration (suricata.yaml) and the location and contents of the threshold.config file. According to your previously posted config it is expected in /etc/suricata/threshold.config.

How do you notice that the thresholds are being ignored?

farzadha2 · August 14, 2024, 2:13pm

hi @satta thank you so much for the reply,
suricata.yml config

and the threshold config

im not sure if its because im using 0 to try to limit all which there is bug at the moment

Thank you

Topic		Replies	Views
Threshold "track by_rule" Rules suricata	4	1417	June 22, 2022
Suricata IDS displaying same alert within milliseconds Help suricata	1	375	February 17, 2023
Thresholding by_rule/by_both not working? Help	2	564	April 14, 2022
Alert for every drop/alert Help	3	322	May 21, 2024
Rate_limiter is not matching with the rule Help ips , rules , suricata	2	536	September 1, 2022

Question on global thresholding

Related topics