The detection_filter option is used to require multiple rule hits before generating an "event". Rule writers use this option to define a rate (count per seconds) that must be exceeded by a source or destination host before a rule can generate an event.

This option is used by declaring three things: (1) whether to track from a source or destination host, (2) the maximum number of rule matches in s seconds allowed before the detection filter limit is exceeded, and (3) the period over which the count is accrued.

Snort evaluates a detection_filter option last, after evaluating all other rule options (regardless of the position of the filter within the rule source). Only one detection_filter option is permitted per rule.


detection_filter:track {by_src|by_dst}, count c, seconds s;


# this rule looks for 30 SSH login attempts occurring
# in 60 seconds from a single source IP
content:"SSH",nocase,offset 0,depth 4;
detection_filter:track by_src, count 30, seconds 60;