This rule looks like it’s from ET Pro. If so, then the rule contains “rule threshold” limits.
There are two basic types of thresholds – “global” – these are specified in the threshold.config file used by Suricata. The other type is by rule keywords – these are specified in the definition of the rule (and is contained in the rule using the signature id you posted).
Global thresholds do not permit specification of by rule
This is from the default threshold.config:
# The syntax is the following:
8 #
9 # threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
Here’s an example using by_rule in theshold.config
Thank you for your reply. I will try to expose my questions into topics:
1 - This is a rule from ET OPEN ruleset that has rule keywords. I suppose that creating a global-threshold will overwrite the rule keywords?
2 - Can´t threshold using “track by_destination” or “track by_src” because the alert is always triggered from different sources. Is there any solution to this instead of suppressing? Event_filter did not work…
3 - My rules are being updated through “suricata-update” every day. So, changing the rule keywords will not work because the update will override the changes. Any possible solution?
Where to track the rule matches. When using by_src/by_dst the tracking is done per IP-address. The Host table is used for storage. When using by_rule it’s done globally for the rule. Option by_both used to track per IP pair of source and destination. Packets going to opposite directions between same addresses tracked as the same pair.
When applied to a specific signature, thresholds and event_filters (threshold from now on) will override the signature setting. This can be useful for when the default in a signature doesn’t suit your environment.
These sections from the docs and the following example seems to indicate that threshold should work with by_rule even if the rule has a threshold already.