Suricata IDS displaying same alert within milliseconds

Apex_Predator · February 16, 2023, 8:26pm

Hi there,
is there a work around to avoid Suricata displaying same alert within seconds from same IP?
Attached a better explanation about my question. It is displaying same alert 6 times between second 38 and second 39. I know it could be related to the different source/destination port but it would be helpful to be able to make some sort of filtering.
Thanks!
PS. XXX works very good for testing purposes

Jeff_Lucovsky · February 17, 2023, 3:30pm

Suricata can limit the number of alerts generated by a rule using “thresholds”.

There’s multiple types of thresholds

Per rule (requires rule modification)
Global (requires threshold.config changes).

Global thresholds are discussed here: 10.2. Global-Thresholds — Suricata 7.0.0-rc2-dev documentation

Rule vs global thresholds are discussed here: 10.2. Global-Thresholds — Suricata 7.0.0-rc2-dev documentation

Topic		Replies	Views
Is there a way to prevent Duplicate alerts from appearing in EVE logs within a period of time? Rules rules , suricata	1	286	July 31, 2023
Question on global thresholding Help	9	76	August 14, 2024
Alert for every drop/alert Help	3	337	May 21, 2024
Rule threshold configuration Rules rules , suricata	2	1507	May 12, 2022
Alert once per connection with Suricata rules Rules aws	9	1407	April 12, 2023

Suricata IDS displaying same alert within milliseconds

Related topics