Limit logging to 1 event per 60 seconds:
event_filter \
gen_id 1, sig_id 1851, \
type limit, track by_src, \
count 1, seconds 60
Limit logging to every 3rd event:
event_filter \
gen_id 1, sig_id 1852, \
type threshold, track by_src, \
count 3, seconds 60
Limit logging to just 1 event per 60 seconds, but only if we exceed 30 events in 60 seconds:
event_filter \
gen_id 1, sig_id 1853, \
type both, track by_src, \
count 30, seconds 60
Limit to logging 1 event per 60 seconds per IP triggering each rule (rule gen_id is 1):
event_filter \
gen_id 1, sig_id 0, \
type limit, track by_src, \
count 1, seconds 60
Limit to logging 1 event per 60 seconds per IP, triggering each rule for each event generator:
event_filter \
gen_id 0, sig_id 0, \
type limit, track by_src, \
count 1, seconds 60
Events in Snort are generated in the usual way, event filters are handled as part of the output system. Read gen-msg.map for details on gen ids.
Users can also configure a memcap for threshold with a ``config:'' option:
config event_filter: memcap <bytes>
# this is deprecated:
config threshold: memcap <bytes>