Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
141
Views
1
Helpful
4
Replies

Snort3 rate filter

Go to solution
Jiri Tyl
Level 1
Level 1

‎06-26-2025 12:54 AM

Hello,

Im trying to configure rate filter in Firepower Snort3 according to this reference: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/snort3-inspectors/snort-3-inspector-reference/rate-filter-inspector.html

For single rate filter with single GID:SIG combination it is working as expected. But I would like to configure more rate filters, or at least activate rate-filter for this three intrusion rules 135:1, 135:2, 135:3 for single IP address.

In the reference is written: "You can define multiple rate-based filters on the same rule as well as on different rules." And my question is: Does anybody please know how to do this...?

Thanks 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Jiri Tyl
Level 1
Level 1

‎06-26-2025 05:08 AM

I finally found a solution to my problem. Maybe I can save someone some time...

Data is array, there under is correct JSON syntax for multiple filter items. On top of this, you should set the corresponding action in the intrussion rule overrides (if it is not in default) for the used GID:SIG ( for me 135:1, 135:2 and 135:3).

{
"rate_filter": {
"type": "singleton",
"enabled": true,
"data": [
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 1,
"timeout": 30,
"track": "by_dst"
},
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 2,
"timeout": 30,
"track": "by_dst"
},
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 3,
"timeout": 30,
"track": "by_dst"
}
]
}
}

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎06-26-2025 01:12 AM

Sorry can you more elaborate 

You need many rate limit for same rule 

Or rate limit for many rule 

Thanks 

MHM

0 Helpful

Go to solution
Jiri Tyl
Level 1
Level 1
In response to MHM Cisco World

‎06-26-2025 01:26 AM

Yes, I can elaborate more. I need many rate limit for same rule.

Thanks Jiri 

0 Helpful

Go to solution
Jiri Tyl
Level 1
Level 1

‎06-26-2025 05:08 AM

I finally found a solution to my problem. Maybe I can save someone some time...

Data is array, there under is correct JSON syntax for multiple filter items. On top of this, you should set the corresponding action in the intrussion rule overrides (if it is not in default) for the used GID:SIG ( for me 135:1, 135:2 and 135:3).

{
"rate_filter": {
"type": "singleton",
"enabled": true,
"data": [
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 1,
"timeout": 30,
"track": "by_dst"
},
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 2,
"timeout": 30,
"track": "by_dst"
},
{
"apply_to": "[X.X.X.X]",
"count": 10,
"gid": 135,
"new_action": "block",
"seconds": 1,
"sid": 3,
"timeout": 30,
"track": "by_dst"
}
]
}
}

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Jiri Tyl

‎06-26-2025 07:20 AM

The code you use is not for same rule 

GID:SIG

I think you use SIG 1'2'3

Anyway I think I found solution but I will more check it before answer you

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card