https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302760#M1121471 <P>Hello,</P> <P>Im trying to configure rate filter in Firepower Snort3 according to this reference:&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/rate-filter-inspector.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/rate-filter-inspector.html</A></P> <P>For single rate filter with single GID:SIG combination it is working as expected. But I would like to configure more rate filters, or at least activate rate-filter for this three intrusion rules 135:1, 135:2, 135:3 for single IP address.</P> <P>In the reference is written: "<SPAN>You can define multiple rate-based filters on the same rule as well as on different rules." And my question is: Does anybody please know how to do this...?</SPAN></P> <P><SPAN>Thanks&nbsp;</SPAN></P> <P>&nbsp;</P> Thu, 26 Jun 2025 07:54:35 GMT Jiri Tyl 2025-06-26T07:54:35Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302760#M1121471 <P>Hello,</P> <P>Im trying to configure rate filter in Firepower Snort3 according to this reference:&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/rate-filter-inspector.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/rate-filter-inspector.html</A></P> <P>For single rate filter with single GID:SIG combination it is working as expected. But I would like to configure more rate filters, or at least activate rate-filter for this three intrusion rules 135:1, 135:2, 135:3 for single IP address.</P> <P>In the reference is written: "<SPAN>You can define multiple rate-based filters on the same rule as well as on different rules." And my question is: Does anybody please know how to do this...?</SPAN></P> <P><SPAN>Thanks&nbsp;</SPAN></P> <P>&nbsp;</P> Thu, 26 Jun 2025 07:54:35 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302760#M1121471 Jiri Tyl 2025-06-26T07:54:35Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302765#M1121472 <P>Sorry can you more elaborate&nbsp;</P> <P>You need many rate limit for same rule&nbsp;</P> <P>Or rate limit for many rule&nbsp;</P> <P>Thanks&nbsp;</P> <P>MHM</P> Thu, 26 Jun 2025 08:12:35 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302765#M1121472 MHM Cisco World 2025-06-26T08:12:35Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302773#M1121474 <P>Yes, I can elaborate more. I need many rate limit for same rule.</P> <P>Thanks Jiri&nbsp;</P> Thu, 26 Jun 2025 08:26:14 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302773#M1121474 Jiri Tyl 2025-06-26T08:26:14Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302836#M1121481 <P><SPAN>I finally found a solution to my problem. Maybe I can save someone some time...</SPAN></P> <P><SPAN>Data is array, there under is correct JSON syntax for multiple filter items. On top of this, you should set the corresponding action in the intrussion rule overrides (if it is not in default) for the used&nbsp;GID:SIG ( for me 135:1, 135:2 and 135:3).</SPAN></P> <P>{<BR />"rate_filter": {<BR />"type": "singleton",<BR />"enabled": true,<BR />"data": [<BR />{<BR />"apply_to": "[X.X.X.X]",<BR />"count": 10,<BR />"gid": 135,<BR />"new_action": "block",<BR />"seconds": 1,<BR />"sid": 1,<BR />"timeout": 30,<BR />"track": "by_dst"<BR />},<BR />{<BR />"apply_to": "[X.X.X.X]",<BR />"count": 10,<BR />"gid": 135,<BR />"new_action": "block",<BR />"seconds": 1,<BR />"sid": 2,<BR />"timeout": 30,<BR />"track": "by_dst"<BR />},<BR />{<BR />"apply_to": "[X.X.X.X]",<BR />"count": 10,<BR />"gid": 135,<BR />"new_action": "block",<BR />"seconds": 1,<BR />"sid": 3,<BR />"timeout": 30,<BR />"track": "by_dst"<BR />}<BR />]<BR />}<BR />}</P> Thu, 26 Jun 2025 12:08:21 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302836#M1121481 Jiri Tyl 2025-06-26T12:08:21Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302987#M1121484 <P>The code you use is not for same rule&nbsp;</P> <P><SPAN>GID:SIG</SPAN></P> <P><SPAN>I think you use SIG 1'2'3</SPAN></P> <P><SPAN>Anyway I think I found solution but I will more check it before answer you</SPAN></P> <P><SPAN>Thanks&nbsp;</SPAN></P> <P><SPAN>MHM</SPAN></P> Thu, 26 Jun 2025 14:20:57 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5302987#M1121484 MHM Cisco World 2025-06-26T14:20:57Z https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5305979#M1121627 <P>Check this if this what you looking for&nbsp;</P> <P><A href="https://rayka-co.com/lesson/cisco-firepower-event-suppression/" target="_blank">https://rayka-co.com/lesson/cisco-firepower-event-suppression/</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221881-configure-custom-local-snort-rules-in-sn.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221881-configure-custom-local-snort-rules-in-sn.html</A></P> <P>MHM</P> Sat, 05 Jul 2025 12:17:19 GMT https://community.cisco.com/t5/network-security/snort3-rate-filter/m-p/5305979#M1121627 MHM Cisco World 2025-07-05T12:17:19Z