Overview
This filter will trigger only when the preceding filters have been met X times in Y seconds.
The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.
Details
The Threshold filter is useful when you only want to know about an event when it reaches a certain level. For example, you may receive the occasional message containing the text "port scan detected", but you only want to be alerted to it when it occurs 5 times within a minute. This would indicate that there is someone persistently scanning your network.
Another example would be to watch for failed login attempts. If the text "login failed" occurred more than 5 times within 30 seconds then it could indicate a brute force login attempt.
Example of a link down notification using the time interval filter:
Rule: Failed login
Filters
Filter: Field=Hostname, Type=Simple.
Include: "unixhost.company.com" [S]
Filter: Field=Msg Text, Type=Simple.
Include: "login failed" [S]
Filter: Field=Flags/Counters, Type=Threshold
Filter is true if event occurs 10 times in 120 seconds.
Actions
Action: Send E-mail message
E-mail body: Intruder Alert – Login failed 10 times in 2 minutes.
Alert - %MsgText
When 10 messages arrive from the host "central-router.company.com" that contains the words "login failed" in the text within 120 seconds, the filter will be true. If the filter is true, the actions below it will be performed.
This filter may also be used to reduce the amount of notification e-mail sent to you. You can use it to set the Threshold at which you want to be notified.