i am new to Suricata and not sure if what i am imagining is feasible.
For my thesis i am trying to generate IDS rules which check for the lower and upper limits of traffic features. A simple example would be “this host receives between 10-300 packets per flow”.
I am successfully checking for the upper limits with thresholds and flowints, but is there any way to check for the lower limits? Like having a flowbits flag and only checking it on connection teardown?
I guess this is possible with lua scripts, but is there another way? I am not familiar with lua confident in learning it in time.
I am using the ids-dataset CIC-IDS2017, generating the rules from the labeled traffic, and testing them with the pcap files.
Working with V 7.0.2 installed with apt on a Kali-linux vm.
Any kind of help is appreciated, even a “that can not be done”, to show my professor, would at least allow me to call it quits and focus on what can be done.