Project

General

Profile

Actions

Bug #1243

closed

threshold is blocking every packet in drop mode

Added by Andreas Herz over 10 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have the following small testing rule with threshold functionality:

alert icmp any any -> any any (msg:"PING Threshold Test rule"; threshold: type limit, count 3, seconds 10, track by_src; sid:2123456; rev:1; )

If i use suricata in ips/inline mode i get the following packets logged: "1-3, 11-13, 21-23, ...".
With "threshold: type threshold" it's "3, 6, 9, 12, 15, ...".
With "threshold: type both" it's "3, 13, 23, ...".

But as soon as i switch the rule to drop, it's dropping every packet, not the ones i want from the threshold rule:

drop icmp any any -> any any (msg:"PING Threshold Test rule"; threshold: type limit, count 3, seconds 10, track by_src; sid:2123456; rev:1; )

I knew this strange behaviour from snort, and needed to parse the rules and convert them from threshold to detection_filter.
Is this behaviour wanted in suricata?

On https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding you say:

limit:

Rule actions drop (IPS mode) and reject are applied to each packet that meets the threshold condition.

threshold:
Rule actions drop (IPS mode) and reject are applied to each packet that meets the limit condition.

both:
Rule actions drop (IPS mode) and reject are applied to each match after the initial threshold is reached with in the time frame.

I would say that not all packets should be dropped if i read the comments correct.

Actions #1

Updated by Andreas Herz over 10 years ago

Andreas Herz wrote:

I would say that not all packets should be dropped if i read the comments correct.

Since some discussion i would suggest either to change the wiki page to make it clear, that suricata is using the same behaviour like snort with threshold and that it's a deprecated option and the rules should be change to event_filter or detection_filter. (I would do that if it's approved by the devs)
Or someone helps me to change the behaviour in the code :)

Actions #2

Updated by Andreas Herz over 10 years ago

Andreas Herz wrote:

Andreas Herz wrote:

I would say that not all packets should be dropped if i read the comments correct.

Since some discussion i would suggest either to change the wiki page to make it clear, that suricata is using the same behaviour like snort with threshold and that it's a deprecated option and the rules should be change to event_filter or detection_filter. (I would do that if it's approved by the devs)
Or someone helps me to change the behaviour in the code :)

For now i changed the Wiki and FAQ.

Actions #3

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF