Bug #1243
closedthreshold is blocking every packet in drop mode
Description
I have the following small testing rule with threshold functionality:
alert icmp any any -> any any (msg:"PING Threshold Test rule"; threshold: type limit, count 3, seconds 10, track by_src; sid:2123456; rev:1; )
If i use suricata in ips/inline mode i get the following packets logged: "1-3, 11-13, 21-23, ...".
With "threshold: type threshold" it's "3, 6, 9, 12, 15, ...".
With "threshold: type both" it's "3, 13, 23, ...".
But as soon as i switch the rule to drop, it's dropping every packet, not the ones i want from the threshold rule:
drop icmp any any -> any any (msg:"PING Threshold Test rule"; threshold: type limit, count 3, seconds 10, track by_src; sid:2123456; rev:1; )
I knew this strange behaviour from snort, and needed to parse the rules and convert them from threshold to detection_filter.
Is this behaviour wanted in suricata?
On https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding you say:
limit:
Rule actions drop (IPS mode) and reject are applied to each packet that meets the threshold condition.
threshold:
Rule actions drop (IPS mode) and reject are applied to each packet that meets the limit condition.
both:
Rule actions drop (IPS mode) and reject are applied to each match after the initial threshold is reached with in the time frame.
I would say that not all packets should be dropped if i read the comments correct.
Updated by Andreas Herz over 10 years ago
Andreas Herz wrote:
I would say that not all packets should be dropped if i read the comments correct.
Since some discussion i would suggest either to change the wiki page to make it clear, that suricata is using the same behaviour like snort with threshold and that it's a deprecated option and the rules should be change to event_filter or detection_filter. (I would do that if it's approved by the devs)
Or someone helps me to change the behaviour in the code :)
Updated by Andreas Herz over 10 years ago
Andreas Herz wrote:
Andreas Herz wrote:
I would say that not all packets should be dropped if i read the comments correct.
Since some discussion i would suggest either to change the wiki page to make it clear, that suricata is using the same behaviour like snort with threshold and that it's a deprecated option and the rules should be change to event_filter or detection_filter. (I would do that if it's approved by the devs)
Or someone helps me to change the behaviour in the code :)
For now i changed the Wiki and FAQ.