Thresholding

2025-12-06 17:22:49 +01:00 · 2022-09-19 16:53:51 -04:00
parent e72eae2e8a
commit 512c044d80
2 changed files with 50 additions and 0 deletions
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -1,4 +1,10 @@
 suricata:
+  thresholding:
+    sids__yaml:
+      description: Threshold SIDS List
+      file: True
+      syntax: yaml
+      title: SIDS
  config:
    vars:
      address-groups:
--- a/salt/suricata/thresholding/sids.yaml
+++ b/salt/suricata/thresholding/sids.yaml
@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    99999999999999999:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    99999999999999998:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24