Format

Rate filters are used as standalone configurations (outside of a rule) and have the following format:

The options are described in the table below - all are required except apply_to, which is optional.

Option	Description
`track by_src \| by_dst \| by_rule`	rate is tracked either by source IP address, destination IP address, or by rule. This means the match statistics are maintained for each unique source IP address, for each unique destination IP address, or they are aggregated at rule level. For rules related to Stream5 sessions, source and destination means client and server respectively. `track by_rule` and `apply_to` may not be used together.
`count c`	the maximum number of rule matches in `s` seconds before the rate filter limit to is exceeded. `c` must be nonzero value.
`seconds s`	the time period over which `count` is accrued. 0 seconds means `count` is a total count instead of a specific rate. For example, `rate_filter` may be used to detect if the number of connections to a specific server exceed a specific count. 0 seconds only applies to internal rules (gen_id 135) and other use will produce a fatal error by Snort.
`new_action alert \| drop \| pass \| log \| sdrop \| reject`	`new_action` replaces rule action for `t` seconds. `drop`, `reject`, and `sdrop` can be used only when snort is used in inline mode. `sdrop` and `reject` are conditionally compiled with GIDS.
`timeout t`	revert to the original rule action after `t` seconds. If `t` is 0, then rule action is never reverted back. An `event_filter` may be used to manage number of alerts after the rule action is enabled by `rate_filter`.
`apply_to <ip-list>`	restrict the configuration to only to source or destination IP address (indicated by track parameter) determined by `<ip-list>`. `track by_rule` and `apply_to` may not be used together. Note that events are generated during the timeout period, even if the rate falls below the configured limit.