Kapisi/roles/Sharingan/files/suricata/threshold.config

# Configure Thresholding and Suppression
# ======================================
#
# The threshold command is deprecated.  Use detection_filter for thresholds
# within a rule and event_filter for standalone threshold configurations.
# Please see README.filters for more information on filters.
#
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# This can be tuned to significantly reduce false alarms, and it can also be
# used to write a newer breed of rules. Thresholding commands limit the number
# of times a particular event is logged during a specified time interval.
#
# There are 3 types of event_filters:
#
# 1) Limit
#    Alert on the 1st M events during the time interval, then ignore
#    events for the rest of the time interval.
#
# 2) Threshold
#    Alert every M times we see this event during the time interval.
#
# 3) Both
#    Alert once per time interval after seeing M occurrences of the
#    event, then ignore any additional events during the time interval.
#
# Threshold commands are formatted as:
#
# event_filter gen_id gen-id, sig_id sig-id, \
#     type limit|threshold|both, track by_src|by_dst, \
#     count n , seconds m
#
# Limit to logging 1 event per 60 seconds:
#
# event_filter gen_id 1, sig_id 1851, type limit, \
#     track by_src, count 1, seconds 60
#
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# each rule (rules are gen_id 1):
#
# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
#
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# any alert for any event generator:
#
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
#
# Suppression:
#
# Suppression commands are standalone commands that reference generators and
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
# completely suppressed, or suppressed when the causitive traffic is going to
# or comming from a specific IP or group of IP addresses.
#
# Suppress this event completely:
#
# suppress gen_id 1, sig_id 1852
#
# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
#
# working example from iggbsd2 snort:
#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`# Configure Thresholding and Suppression`
			`# ======================================`
			`#`
			`# The threshold command is deprecated. Use detection_filter for thresholds`
			`# within a rule and event_filter for standalone threshold configurations.`
			`# Please see README.filters for more information on filters.`
			`#`
			`# Thresholding:`
			`#`
			`# This feature is used to reduce the number of logged alerts for noisy rules.`
			`# This can be tuned to significantly reduce false alarms, and it can also be`
			`# used to write a newer breed of rules. Thresholding commands limit the number`
			`# of times a particular event is logged during a specified time interval.`
			`#`
			`# There are 3 types of event_filters:`
			`#`
			`# 1) Limit`
			`# Alert on the 1st M events during the time interval, then ignore`
			`# events for the rest of the time interval.`
			`#`
			`# 2) Threshold`
			`# Alert every M times we see this event during the time interval.`
			`#`
			`# 3) Both`
			`# Alert once per time interval after seeing M occurrences of the`
			`# event, then ignore any additional events during the time interval.`
			`#`
			`# Threshold commands are formatted as:`
			`#`
			`# event_filter gen_id gen-id, sig_id sig-id, \`
			`# type limit\|threshold\|both, track by_src\|by_dst, \`
			`# count n , seconds m`
			`#`
			`# Limit to logging 1 event per 60 seconds:`
			`#`
			`# event_filter gen_id 1, sig_id 1851, type limit, \`
			`# track by_src, count 1, seconds 60`
			`#`
			`# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering`
			`# each rule (rules are gen_id 1):`
			`#`
			`# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60`
			`#`
			`# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering`
			`# any alert for any event generator:`
			`#`
			`# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60`
			`#`
			`# Suppression:`
			`#`
			`# Suppression commands are standalone commands that reference generators and`
			`# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be`
			`# completely suppressed, or suppressed when the causitive traffic is going to`
			`# or comming from a specific IP or group of IP addresses.`
			`#`
			`# Suppress this event completely:`
			`#`
			`# suppress gen_id 1, sig_id 1852`
			`#`
			`# Suppress this event from this IP:`
			`#`
			`# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54`
			`#`
			`# Suppress this event to this CIDR block:`
			`#`
			`# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24`
			`#`
			`# working example from iggbsd2 snort:`
			`#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2`