mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
61 lines
2.3 KiB
Text
61 lines
2.3 KiB
Text
# Configure Thresholding and Suppression
|
|
# ======================================
|
|
#
|
|
# Thresholding:
|
|
#
|
|
# This feature is used to reduce the number of logged alerts for noisy rules.
|
|
# This can be tuned to significantly reduce false alarms, and it can also be
|
|
# used to write a newer breed of rules. Thresholding commands limit the number
|
|
# of times a particular event is logged during a specified time interval.
|
|
# There are 3 types of thresholding:
|
|
#
|
|
# 1) Limit
|
|
# Alert on the 1st M events during the time interval, then ignore
|
|
# events
|
|
# for the rest of the time interval.
|
|
# 2) Threshold
|
|
# Alert every M times we see this event during the time interval.
|
|
# 3) Both
|
|
# Alert once per time interval after seeing M occurrences of the
|
|
# event,
|
|
# then ignore any additional events during the time interval.
|
|
#
|
|
# Threshold commands are formatted as:
|
|
# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
|
|
# by_src|by_dst, count n , seconds m
|
|
#
|
|
# Limit to logging 1 event per 60 seconds
|
|
# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds
|
|
# 60
|
|
|
|
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
|
|
# each rule (rules are gen_id 1).
|
|
# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
|
|
|
|
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
|
|
# any alert for any event generator
|
|
# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
|
|
#
|
|
# Thresholding does not need to be a stand-alone command, and can instead be
|
|
# written directly into a rule. Please see README.thresholding for more
|
|
# information on thresholding.
|
|
#
|
|
# Suppression:
|
|
#
|
|
# Suppression commands are standalone commands that reference generators and
|
|
# sids and IP addresses via a CIDR block. This allows a rule to be completely
|
|
# suppressed, or suppressed when the causitive traffic is going to or comming
|
|
# from a specific IP or group of IP addresses.
|
|
#
|
|
# Suppress this event completely
|
|
#
|
|
# suppress gen_id 1, sig_id 1852
|
|
#
|
|
# Suppress this event from this IP
|
|
#
|
|
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
|
|
#
|
|
# Suppress this event to this CIDR block
|
|
#
|
|
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
|
|
|