Hi,
I recently configured the following rule. I am trying to alert when there is a possible DDoS attack:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:14000000; classtype:denial-of-service; rev:1;)
When this rule alerted, i checked the log associated with the traffic flow. I noticed that i have a “Netflow” record (source external address and destination internal address) that indicates this:
suricata.eve.netflow.age: 1
suricata.eve.netflow.bytes: 816
suricata.eve.netflow.end: 2023-01-02T19:45:23.275415+0000
suricata.eve.netflow.max_ttl: 39
suricata.eve.netflow.min_ttl: 38
suricata.eve.netflow.pkts: 12
suricata.eve.netflow.start: 2023-01-02T19:45:22.828251+0000
suricata.eve.tcp.ack: true
suricata.eve.tcp.fin: true
suricata.eve.tcp.syn: true
suricata.eve.tcp.tcp_flags 13
In the alert information, i can see this:
network.packets: 2
So, my questions are the following:
1 - Why there is a difference in the number of packets
2 - Why the rule even triggered. It should only trigger when there are more than 200 packets.
Thanks in advance