Rules - limiting traffic to a specific time

Hi,
I have a pretty interesting problem. I would like limited traffic using suricata rules. I want to limit http traffic that contains a 404 return code and repeats more than 50 times in 60 seconds. If this condition is met, traffic should be limited to one hour and re-enabled after one hour. I have been dealing with this problem for a long time and I do not know how to deal with it. Could anyone help me? Thank you

Are you talking about traffic contained in one flow?
You might want to check out flowints if that’s the case.
https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#flowint

Lua is the only option i can think of if you want to do this based on multiple flows between two IPs.

I tried this but it didn’t work. I also tried xbits but there I’m not sure if keyword “expire” works. It seems to me it’s still blocking. Do you have some experience with xbits?

I wonder if rate_filter is what you are looking for:

https://suricata.readthedocs.io/en/suricata-5.0.2/configuration/global-thresholds.html#rate-filter

Something like

alert http any any -> any any (http.stat_code; content:"404"; sid:123;)

rate_filter gen_id 1, sig_id 123, track by_dst, count 50, seconds 60, new_action drop, timeout 3600

The rate_filter rule would sit in threshold.config.

I didn’t know about this feature.This solution works perfectly. Thank you a lot.

Can I have one more question? It is possible to write a new action to the eve.log file. In the eve.log file, I only have an alert rule.

What do you mean by action in that context? Can you give a bit more details what you would like to achieve?

The example above shows that the initial rule has an alert action, so an alert action is written to the eve.json file. However, rate_filter sets a new drop action and it is no longer recorded in the eve.json file. It is possible to set the changed event (action in rule) to reflected in the file eve.json