Bug #1214
closedGlobal Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
Description
I have this rule in my threshold.conf and noticed that it didn't work as excpected:
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 10
There is a single relevant line in the logs:
[9295] 17/6/2014 -- 18:32:51 - (util-threshold-config.c:473) <Warning> (SetupThresholdRule) -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:26645 has an event var set. The signature e
vent var is given precedence over the threshold.conf one. We'll change this in the future though.
While investigating on the possible causes, I stumbled upon the SetupThresholdRule function which applies thresholds to signatures.
When provided with a wildcard threshold (sig_id 0, gid_id 0), SetupThresholdRule iterates on the signature list and applies the threshold rule to every signature.
However, in case of the signature already having a threshold assigned, SetupThresholdRule emits a warning and then exits, breaking the for loop and preventing setting
the threshold for all subsequent signatures in the signature list.
Attached you'll find a patch that replaces "goto end" lines with "continue" causing the loop to continue for subsequent signatures.
Files
Updated by Victor Julien over 10 years ago
- Status changed from New to Closed
- Assignee set to Alessandro Guido
- Target version set to 2.0.2
- % Done changed from 0 to 100
Fixed by https://github.com/inliniac/suricata/pull/995, thanks Alessandro!