If the frequency is set, the IDPS signature will be triggered not with every match, but only after a specified number of matches is detected for a specified time interval. This parameter can be useful, for example, to write signatures for detecting brute force attacks.
To specify the triggering frequency:
.rate=<count>, <period>;
here: <count> --- number of triggered events
<period> --- time interval (in seconds) during which the specified number of triggered events should occur.
The next parameter is optional and specifies the parameter for grouping matches:
.track=<MODE>;
here: <MODE> --- the property which specifies the mode for packet tracking.
<MODE> can take following values:
-
src_ip: tracking by source IP address
-
dst_ip: tracking by destination IP address.
If .track modifier is not specified, then all matches are counted, and after the specified limit is reached, the signature is triggered.
Example:
UASL(.name="pop3.brute.force"; .protocol=tcp; .pattern="USER"; .flow=from_server; .rate=3,60; .track=src_ip;)
The signature will be triggered after the USER template (.pattern="USER";) is discovered in packets sent from the same IP address (.track=src_ip;) more than 3 times for 60 seconds (.rate=3, 60;).