Rate_limiter is not matching with the rule

Hi guys

I’ve installed suricata on my server (on Virtual Machine). I am trying to limit TCP traffic on port 443 by rule:
alert tcp any any → (valid adress) 443 (msg:“Alert”; sid:123;flow: to_server;)

with rate_filter:
rate_filter gen_id 1, sig_id 123, track by_src, count 5, seconds 20, new_action drop, timeout 360

In fast.log i am getting alerts, but this rate_filter dont work (he will not be triggered). Please can you help me with this ? trhreshold.config file is uncommented in suricata.yaml

Thanks

Could you try 10.2. Global-Thresholds — Suricata 6.0.6 documentation or 6.31. Thresholding Keywords — Suricata 6.0.6 documentation to see if those would work?

Hello Andreas :slight_smile:

Threshold: both, solved this issue for me. Thanks for your time.

with best regards
Patrik

1 Like