Does suricata 6.0.4 actually support thresholding by_rule or by_both ? I have been running some tests and it does not seem to work.
Say this threshold threshold gen_id 1, sig_id 1000001, type limit, track by_src, count 10, seconds 10
works fine, but threshold gen_id 1, sig_id 1000001, type limit, track by_rule, count 10, seconds 10
leads to a parsing error.
Yet the suricata documentation mentions that the functionality exists, is it a mistake of mine or are by_rule and by_both not implemented yet ?
is all I have in my threshold.config.
To be more precise, thresholding by_rule or by_both seems to work fine when the threshold is set within the rule :
alert http any any -> any any (msg:"ALERT!"; sid: 1000001; threshold: type limit, track by_rule, count 10, seconds 10;)
but leads to an error when thresholding by_rule/by_both is set in the threshold.config file.
