I’m trying to learn suricata (5.0.4) on an opnsense firewall.
The documentation says that:
Rule actions drop (IPS mode) and reject are applied to each packet (not only the one that meets the threshold condition).
But when I change such a rule:
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:“GPL SMTP AUTH LOGON brute force attempt”; flow:from_server,established; content:“Authentication unsuccessful”; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
from alert to drop, it works (drops packets starting from 5). Something has changed in working with thresholds? No need to change it to detection_filter?