Suricata 7 large file transfer alert

How can I trigger an alert at the end of a flow when a threshold has been met? I’ve tried a few variations:

threshold, partially works but creates multiple alerts, seems inconsistent

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"high data transfer detected alert threshold"; flow:established,to_client; stream_size:server, >, 180000000; threshold: type both, track by_src, count 1, seconds 300; sid:1000001; rev:1;)

flow bit test, unable to detect end of flow/stream

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"high data transfer detected set flow bit"; flow:established,to_client; stream_size:client, >, 180000000; flowbits: set, largefiledetected; noalert;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"high data transfer detected alert flow bit"; flowbits: isset, largefiledetected; flow:to_client; stream_size:client,0; sid:1000000; rev:1;)

The rules using the flowbit need some tweaking. Add a sid field to the first rule.

I tried that and still cannot detect the end of the flow.1000001 never triggers.

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"high data transfer detected set flow bit"; flow:established,to_client; stream_size:client, >, 180000000; flowbits: set, largefiledetected; noalert; sid:1000000)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"high data transfer detected alert flow bit"; flowbits: isset, largefiledetected; flow:to_client; stream_size:client,0; sid:1000001; rev:1;)

I also tried with tcp.flags and still no luck.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp.flags sig"; flowbits: isset, largefiledetected; tcp.flags:F; classtype:misc-activity; sid:1; rev:1;)

My end goal is simply to detect large amounts of data transferred without getting flooded with alerts and without a significant performance impact.

Please share details about your deployment

  • Suricata version (should be 7.0.3 or later)
  • Suricata configuration file
  • If available, a pcap with the traffic not being alerted on
  • Machine details (lscpu, lsmem output if using Linux)

Think also stream depth comes into play.
Can relate to Feature #7097: Additions to flow detection - size - Suricata - Open Information Security Foundation
I that line of thought if you please could share where (at what size) does the alert trigger?