Threshold and suppression rules were first introduced in Snort Version 2.0.0. They allow an administrator to control how many alerts are generated from (or to) a given host or for a particular signature. Unfortunately, they were very thinly documented and (while it might get me in a bit of trouble with the folks at Sourcefire) were a little buggy. Snort 2.1.x not only fixes the problems, it also introduces global thresholds. Global thresholds let you control alert volume for all rules. Threshold and suppression commands are, by convention, placed in the threshold.conf file in the same directory as the rule sets. While this is not required, it is a good idea to keep them in one place. Threshold and suppression rules can track by source or destination IP address. Sometimes a signature alerts on an inbound attack packet or an outbound response to an attack. It should be noted that suppression rules are applied before thresholding rules.
Threshold rules come in three flavors (excerpt from the README.thresholding file):
Alert on the first M events during the time interval, then ignore events for the rest of the time interval.
Alert every M times this event is seen during the time interval.
Alert once per time interval after seeing M occurrences of the event, then ignore any additional events during the time interval.
Threshold rules can be incorporated into the rule definitions themselves or built as standalone rules. The administrative ...