Hi, I have a pretty interesting problem. I would like limited traffic using suricata rules. I want to limit http traffic that contains a 404 return code and repeats more than 50 times in 60 seconds. If this condition is met, traffic should be limited to one hour and re-enabled after one hour. I hav…

I wonder if rate_filter is what you are looking for: https://suricata.readthedocs.io/en/suricata-5.0.2/configuration/global-thresholds.html#rate-filter Something like alert http any any -> any any (http.stat_code; content:"404"; sid:123;) rate_filter gen_id 1, sig_id 123, track by_dst, count 50,…

Rules - limiting traffic to a specific time

Rules

starytomas (Tomáš Starý) April 7, 2020, 1:42pm 3

I tried this but it didn’t work. I also tried xbits but there I’m not sure if keyword “expire” works. It seems to me it’s still blocking. Do you have some experience with xbits?

Wanna my suricata ips limit traffic

Topic		Replies	Views
Wanna my suricata ips limit traffic Help ips	2	854	June 14, 2022
Rate_limiter is not matching with the rule Help ips , rules , suricata	2	536	September 1, 2022
Heartbeat Alert - rate_filter on really common traffic Rules	14	483	December 6, 2023
Rules to check if threshold has not been met at the end of a flow Rules rules	3	159	January 16, 2024
Rule(s) to monitor HTTP traffic Help	1	31	November 20, 2024

Rules - limiting traffic to a specific time

Related topics