doc/userguide: document new threshold config options

OISF · Jun 18, 2024 · 8dee1b5 · 8dee1b5
1 parent dc2cf2d
commit 8dee1b5
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/doc/userguide/configuration/global-thresholds.rst b/doc/userguide/configuration/global-thresholds.rst
@@ -6,6 +6,9 @@ Thresholds can be configured in the rules themselves, see
 their intelligence for creating a rule combined with a judgement on how often
 a rule will alert.
 
+Thresholds are tracked in a hash table that is sized according to configuration, see:
+:ref:`suricata-yaml-thresholds`.
+
 Threshold Config
 ----------------
 

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
@@ -739,6 +739,22 @@ To let Suricata make these decisions set default to 'auto':
     prefilter:
       default: auto
 
+.. _suricata-yaml-thresholds:
+
+Thresholding Settings
+~~~~~~~~~~~~~~~~~~~~~
+
+Thresholding uses a central hash table for tracking thresholds of the types: by_src, by_dst, by_both.
+
+::
+
+  detect:
+    thresholds:
+      hash-size: 16384
+      memcap: 16mb
+
+``detect.thresholds.hash-size`` controls the number of hash rows in the hash table.
+``detect.thresholds.memcap`` controls how much memory can be used for the hash table and the data stored in it.
 
 Pattern matcher settings
 ~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/doc/userguide/rules/thresholding.rst b/doc/userguide/rules/thresholding.rst
@@ -4,6 +4,9 @@ Thresholding Keywords
 Thresholding can be configured per rule and also globally, see
 :doc:`../configuration/global-thresholds`.
 
+Thresholds are tracked in a hash table that is sized according to configuration, see:
+:ref:`suricata-yaml-thresholds`.
+
 *Note: mixing rule and global thresholds is not supported in 1.3 and
 before. See bug #425.* For the state of the support in 1.4 see
 :ref:`global-thresholds-vs-rule-thresholds`