2.4.1 Rate Filtering

rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded. Multiple rate filters can be defined on the same rule, in which case they are evaluated in the order they appear in the configuration file, and the first applicable action is taken.

2.4.1.1 Format

Rate filters are used as standalone configurations (outside of a rule) and have the following format:

verbatim478#

The options are described in the table below - all are required except apply_to, which is optional.


Option Description ;SPMnbsp; ;SPMnbsp;
track by_src | by_dst | by_rule

rate is tracked either by source IP address, destination IP address, or by rule. This means the match statistics are maintained for each unique source IP address, for each unique destination IP address, or they are aggregated at rule level. For rules related to Stream sessions, source and destination means client and server respectively. track by_rule and apply_to may not be used together.

;SPMnbsp; ;SPMnbsp;
count c

the maximum number of rule matches in s seconds before the rate filter limit to is exceeded. c must be nonzero value.

;SPMnbsp; ;SPMnbsp;
seconds s

the time period over which count is accrued. 0 seconds means count is a total count instead of a specific rate. For example, rate_filter may be used to detect if the number of connections to a specific server exceed a specific count. 0 seconds only applies to internal rules (gen_id 135) and other use will produce a fatal error by Snort.

;SPMnbsp; ;SPMnbsp;
new_action alert | drop | pass | log | sdrop | reject

new_action replaces rule action for t seconds. drop, reject, and sdrop can be used only when snort is used in inline mode. sdrop and reject are conditionally compiled with GIDS.

;SPMnbsp; ;SPMnbsp;
timeout t

revert to the original rule action after t seconds. If t is 0, then rule action is never reverted back. An event_filter may be used to manage number of alerts after the rule action is enabled by rate_filter.

;SPMnbsp; ;SPMnbsp;
apply_to ;SPMlt;ip-list;SPMgt;

restrict the configuration to only to source or destination IP address (indicated by track parameter) determined by ;SPMlt;ip-list;SPMgt;. track by_rule and apply_to may not be used together. Note that events are generated during the timeout period, even if the rate falls below the configured limit.

;SPMnbsp; ;SPMnbsp;

2.4.1.2 Examples

Example 1 - allow a maximum of 100 connection attempts per second from any one IP address, and block further connection attempts from that IP address for 10 seconds:

verbatim479#

Example 2 - allow a maximum of 100 successful simultaneous connections from any one IP address, and block further connections from that IP address for 10 seconds:

verbatim480#