Definitely Suricata has any bug with threshold. suppress gen_id 1, sig_id 2020565, track by_src, ip 8.8.8.8 And I receive an alert: The IP address 8.8.8.8 has been blocked due to the following rule match: The signature ID is [1:2020565:1] ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup ...