threshold: \
type <limit|threshold|both>, \
track <by_src|by_dst>, \
count <c>, seconds <s>;
| Option | Description |
|---|---|
| type limit|threshold|both | type limit alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval. Type threshold alerts every m times we see this event during the time interval. Type both alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval. |
| track by_src|by_dst | rate is tracked either by source IP address, or destination IP address. This means count is maintained for each unique source IP addresses, or for each unique destination IP addresses. Ports or anything else are not tracked. |
| count c | number of rule matching in s seconds that will cause event_filter limit to be exceeded. c must be nonzero value. |
| seconds s | time period over which count is accrued. s must be nonzero value. |