Separate detect and alert frequency

I need create only one alert when come 100 SYN packet per second from one SRC IP to the DST IP.
I try create rule for detected TCP SYN attack. That the alarm is not duplicated.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDoS SYN packet flood inbound"; flow:to_server; flags: S,12; threshold: type threshold, track by_both, count 100, seconds 1; classtype:ddos; sid:1;)
And I have a question. If we read the documentation we can find that threshold keyword can be used to control the rule’s alert frequency. But at the same time it is necessary to determine the alarm.
How can I detect alarm with 100 pps and triggered only once per SRC IP-DST IP, instead of notifying every second about an attack?

Hi Saniapa,

welcome to our forum :slight_smile:

I’m not sure I got your question, but I think maybe if you use the type ‘both’ instead of threshold, you can define a threshold AND a limit of alerts, so you won’t get flooded with alerts?

As seen a bit further: 6.31. Thresholding Keywords — Suricata 6.0.0 documentation

Alternatively, if that doesn’t work, I think you could work with a set of rules that would use a flowint to count how many times that type of traffic was detected, and then only alert after a certain number had been reached.
If you’re interested in that approach, you could check 6.10. Flow Keywords — Suricata 6.0.0 documentation

Hope these help you achieve what you are trying!

Hello! Thanks for answer. The main idea is to make the alert as soon as possible (in the first second), but not repeat again if the source IP and destination IP are repeated.
If I understood the documentation correctly, type ‘both’ work only if we don’t use threshold as a condition.
If I could separately set the thresholds for type ‘threshold’ and type ‘limit’ that would be great.

Did you try it out? I understand that ‘both’ is for when you want to combine a threshold with a limit of alerts, isn’t that what you’re looking for?

Yes, I tried but nothing changed. I don’t quite understand how I can influence ‘limit’ separately from ‘threshold’ if they use the same count and seconds values.
I need the alarm start when going more then 100 packets per one second. But repeat this alarm only 30 minutes later.

Hm, yeah, that would require two separate rules, I think, for those are two different thresholds…

Then maybe you could have two rules coupled together, and use flowints or flowbits as well to help when the next rule should be triggered?