Suricata IDS displaying same alert within milliseconds

Apex_Predator · February 16, 2023, 8:26pm

Hi there,
is there a work around to avoid Suricata displaying same alert within seconds from same IP?
Attached a better explanation about my question. It is displaying same alert 6 times between second 38 and second 39. I know it could be related to the different source/destination port but it would be helpful to be able to make some sort of filtering.
Thanks!
PS. XXX works very good for testing purposes

Jeff_Lucovsky · February 17, 2023, 3:30pm

Suricata can limit the number of alerts generated by a rule using “thresholds”.

There’s multiple types of thresholds

Per rule (requires rule modification)
Global (requires threshold.config changes).

Global thresholds are discussed here: 10.2. Global-Thresholds — Suricata 7.0.0-rc2-dev documentation

Rule vs global thresholds are discussed here: 10.2. Global-Thresholds — Suricata 7.0.0-rc2-dev documentation

Topic		Replies	Views
Alert for every drop/alert Help	0	35	April 11, 2024
Alert once per connection with Suricata rules Rules aws	9	991	April 12, 2023
Testing ping alert rule Rules suricata	5	3192	July 27, 2022
Suppress alerts around known false positive! Rules	8	2076	August 16, 2023
Disable alerts based on rule ID and IP Address combination Help	3	1588	December 9, 2020

Suricata IDS displaying same alert within milliseconds

Related Topics