This rule logs the first event of this SID every 60 seconds.
alert tcp $external_net any -> $http_servers $http_ports \
(msg:"web-misc robots.txt access"; flow:to_server, established; \
uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
classtype:web-application-activity; threshold:type limit, track \
by_src, count 1 , seconds 60; sid:1000852; rev:1;)
This rule logs every 10th event on this SID during a 60 second interval. So if less than 10 events occur in 60 seconds, nothing gets logged. Once an event is logged, a new time period starts for type=threshold.
alert tcp $external_net any -> $http_servers $http_ports \
(msg:"web-misc robots.txt access"; flow:to_server, established; \
uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
classtype:web-application-activity; threshold:type threshold, \
track by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;)
This rule logs at most one event every 60 seconds if at least 10 events on this SID are fired.
alert tcp $external_net any -> $http_servers $http_ports \
(msg:"web-misc robots.txt access"; flow:to_server, established; \
uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
classtype:web-application-activity; threshold:type both, track \
by_dst, count 10, seconds 60; sid:1000852; rev:1;)