::
threshold gen_id <gid>, sig_id <sid>, type <threshold|limit|both>, \
- track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
+ track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>
rate_filter
~~~~~~~~~~~
it's done globally for the rule.
Option by_both used to track per IP pair of source and destination. Packets
going to opposite directions between same addresses tracked as the same pair.
+The by_flow option tracks the rule matches in the flow.
count
^^^^^
Syntax::
- threshold: type <threshold|limit|both>, track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
+ threshold: type <threshold|limit|both>, track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>
type "threshold"
~~~~~~~~~~~~~~~~
*Rule actions drop (IPS mode) and reject are applied to each packet.*
+
+track
+~~~~~
+
+.. table::
+
+ +------------------+--------------------------+
+ |Option |Tracks By |
+ +==================+==========================+
+ |by_src |source IP |
+ +------------------+--------------------------+
+ |by_dst |destination IP |
+ +------------------+--------------------------+
+ |by_both |pair of src IP and dst IP |
+ +------------------+--------------------------+
+ |by_rule |signature id |
+ +------------------+--------------------------+
+ |by_flow |flow |
+ +------------------+--------------------------+
+
+
detection_filter
----------------
projects / thirdparty / suricata.git / commitdiff
