Rate_limiter is not matching with the rule

Patrik_Burdiak · August 4, 2022, 3:04pm

Hi guys

I’ve installed suricata on my server (on Virtual Machine). I am trying to limit TCP traffic on port 443 by rule:
alert tcp any any → (valid adress) 443 (msg:“Alert”; sid:123;flow: to_server;)

with rate_filter:
rate_filter gen_id 1, sig_id 123, track by_src, count 5, seconds 20, new_action drop, timeout 360

In fast.log i am getting alerts, but this rate_filter dont work (he will not be triggered). Please can you help me with this ? trhreshold.config file is uncommented in suricata.yaml

Thanks

Andreas_Herz · August 29, 2022, 4:06pm

Could you try 10.2. Global-Thresholds — Suricata 6.0.6 documentation or 6.31. Thresholding Keywords — Suricata 6.0.6 documentation to see if those would work?

Patrik_Burdiak · September 1, 2022, 8:06pm

Hello Andreas

Threshold: both, solved this issue for me. Thanks for your time.

with best regards
Patrik

Topic		Replies	Views
Configure Suricata as IPS to prevent host from SYN Flood Help ips	24	9298	March 23, 2021
Wanna my suricata ips limit traffic Help ips	2	845	June 14, 2022
Rules - limiting traffic to a specific time Rules ips	7	3483	April 20, 2020
SURICATA HTTP unable to match response to request Rules	1	3216	November 1, 2021
Some match bypass? Rules rules	27	1952	September 17, 2021

Rate_limiter is not matching with the rule

Related Topics