detection_filter defines a rate which must be exceeded by a source or destination host before a rule can generate an event. detection_filter has the following format:
detection_filter: \
track <by_src|by_dst>, \
count <c>, seconds <s>;
| Option | Description |
| track by_src|by_dst | Rate is tracked either by source IP address or destination IP address. This means count is maintained for each unique source IP address or each unique destination IP address. |
| count c | The maximum number of rule matches in s seconds allowed before the detection filter limit to be exceeded. C must be nonzero. |
| seconds s | Time period over which count is accrued. The value must be nonzero. |
Snort evaluates a detection_filter as the last step of the detection phase, after evaluating all other rule options (regardless of the position of the filter within the rule source). At most one detection_filter is permitted per rule.
Example - this rule will fire on every failed login attempt from 10.1.2.100 during one sampling period of 60 seconds, after the first 30 failed login attempts:
drop tcp 10.1.2.100 any > 10.1.1.100 22 ( \
msg:"SSH Brute Force Attempt";
flow:established,to_server; \
content:"SSH"; nocase; offset:0; depth:4; \
detection_filter:track by_src, count 30, seconds 60; \
sid:1000001; rev:1;)
Since potentially many events will be generated, a detection_filter would normally be used in conjunction with an event_filter to reduce the number of logged events.
Note:
As mentioned above, Snort evaluates detection_filter as the last step of
the detection and not in post-detection.