Project

General

Profile

Actions

Bug #1247

open

Using suppress in threshold.config does not prevent dropping

Added by Andreas Herz over 9 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have suricata 2.0.2 running in inline/ips mode, with the following rule active:

drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8;)

So i have create a index.html for testing:

uid=0(root) gid=0(root) groups=0(root)

With small python server
python -m SimpleHTTPServer

I can trigger the rule by:
lynx http://10.0.20.89:8000/

The rule triggers, logs into fast.log etc. and also drops the attempt.
I put "suppress gen_id 1, sig_id 2100498" into the threshold.config and did restart suricata.
What i would have expected is that i see no logs and it won't be dropped.
The logs don't appear (i have fast.log, alert-debug.log, drop.log and http.log active) but it's dropped.
The same test in snort with the same suppress rule does not log and not drop.

I guess this might be a bug introduced in some newer version, since Victor Julien got the same issue working in 2012:

http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/

And i would suggest the option to also use threshold.config within the dynamic rule reload, so it's not necessary to restart the whole suricata if you just added one line into the threshold.config.

Actions

Also available in: Atom PDF