event_filter \
gen_id <gid>, sig_id <sid>, \
type <limit|threshold|both>, \
track <by_src|by_dst>, \
count <c>, seconds <s>
threshold \
gen_id <gid>, sig_id <sid>, \
type <limit|threshold|both>, \
track <by_src|by_dst>, \
count <c>, seconds <s>
threshold is an alias for event_filter. Both formats are equivalent and support the options described below - all are required. threshold is deprecated and will not be supported in future releases.
| Option | Description |
|---|---|
| gen_id <gid> | Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a "global" threshold that applies to all rules. |
| sig_id <sid> | Specify the signature ID of an associated rule. sig_id 0 specifies a "global" filter because it applies to all sig_ids for the given gen_id. |
| type limit|threshold|both | type limit alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval. Type threshold alerts every m times we see this event during the time interval. Type both alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval. |
| track by_src|by_dst | rate is tracked either by source IP address, or destination IP address. This means count is maintained for each unique source IP addresses, or for each unique destination IP addresses. Ports or anything else are not tracked. |
| count c | number of rule matching in s seconds that will cause event_filter limit to be exceeded. c must be nonzero value. A value of -1 disables the event filter and can be used to override the global event_filter. |
| seconds s | time period over which count is accrued. s must be nonzero value. |
|
Note:
Only one event_filter may be defined for a given gen_id, sig_id. If more than one event_filter is applied to a specific gen_id, sig_id pair, Snort will terminate with an error while reading the configuration information.
|
event_filters with sig_id 0 are considered "global" because they apply to all rules with the given gen_id. If gen_id is also 0, then the filter applies to all rules. (gen_id 0, sig_id != 0 is not allowed). Standard filtering tests are applied first, if they do not block an event from being logged, the global filtering test is applied. Thresholds in a rule (deprecated) will override a global event_filter. Global event_filters do not override what's in a signature or a more specific stand-alone event_filter.
| Note: event_filters can be used to suppress excessive rate_filter alerts, however, the first new_action event of the timeout period is never suppressed. Such events indicate a change of state that are significant to the user monitoring the network. |