Suricata Rule Thresholding

Three types of threshold values can be defined in Suricata rules: limit, threshold and both. I want to make some further explanations about them because this concept may be a bit confusing.

The notation of rule thresholding in Suricata is shown below:

threshold: type <threshold|limit|both> track , count <M>, seconds <T>

type threshold
Type threshold alerts every M times we see this event during the time interval.

threshold: type threshold track by_src, count 4, seconds 360;

In the above example the rule generates "1" alarm everytime the event is met "4" times in "360" seconds.

The figure below depicts "type threshold":

type limit
Type limit alerts on the 1st M events during the time interval, then ignores events for the rest of the time interval. 

threshold:type limit, track by_src, count 4 , seconds 360;

In the above example the rule generates "4" alarms if the event is met first "4" times in "360" seconds. After the detections it doesn't generate any alarms in the rest of the 360 seconds.

The figure below depicts "type limit":

 

type both
Type both alerts once per time interval after seeing M occurrences of the event, then ignores any additional events during the time interval.

threshold:type both, track by_src, count 4 , seconds 360;

In the above example the rule generates "1" alarm if the event is met "4" times in "360" seconds. After the detection it doesn't generate an alarm in the rest of the 360 seconds.

The figure below depicts "type both":