Global Rule Thresholding Options

The default threshold limits event generation for each rule to one event every 60 seconds on traffic going to the same destination. The default values for the global rule thresholding options are:

  • Type — Limit

  • Track By — Destination

  • Count — 1

  • Seconds — 60

You can modify these default values as follows:

Thresholding Types

Option

Description

Limit

Logs and displays events for the specified number of packets (specified by the count argument) that trigger the rule during the specified time period.

For example, if you set the type to Limit, the Count to 10, and the Seconds to 60, and 14 packets trigger the rule, the system stops logging events for the rule after displaying the first 10 that occur within the same minute.

Threshold

Logs and displays a single event when the specified number of packets (specified by the count argument) trigger the rule during the specified time period. Note that the counter for the time restarts after you hit the threshold count of events and the system logs that event.

For example, you set the type to Threshold, Count to 10, and Seconds to 60, and the rule triggers 10 times by second 33. The system generates one event, then resets the Seconds and Count counters to 0. The rule then triggers another 10 times in the next 25 seconds. Because the counters reset to 0 at second 33, the system logs another event.

Both

Logs and displays an event once per specified time period, after the specified number (count) of packets trigger the rule.

For example, if you set the type to Both, Count to 2, and Seconds to 10, the following event counts result:

  • If the rule is triggered once in 10 seconds, the system does not generate any events (the threshold is not met)

  • If the rule is triggered twice in 10 seconds, the system generates one event (the threshold is met when the rule triggers the second time)

  • If the rule is triggered four times in 10 seconds, the system generates one event (the threshold is met when the rule triggered the second time and following events are ignored)

The Track By option determines whether the event instance count is calculated per source or destination IP address.

You can also specify the number of instances and time period that define the threshold, as follows:

Thresholding Instance/Time Options

Option

Description

Count

For a Limit threshold, the number of event instances per specified time period per tracking IP address or address range required to meet the threshold.

For a Threshold threshold, the number of rule matches you want to use as your threshold.

Seconds

For a Limit threshold, the number of seconds that make up the time period when attacks are tracked.

For a Threshold threshold, the number of seconds that elapse before the count resets. If you set the threshold type to Limit, the tracking to Source, Count to 10, and Seconds to 10, the system logs and displays the first 10 events that occur in 10 seconds from a given source port. If only seven events occur in the first 10 seconds, the system logs and displays those, if 40 events occur in the first 10 seconds, the system logs and displays 10, then begins counting again when the 10-second time period elapses.