Project

General

Profile

Actions
Copy link

Bug #1515

closed
GM AH

Problem with Threshold.config when using more than one IP

Bug #1515: Problem with Threshold.config when using more than one IP

Added by Guru Medidation over 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Andreas Herz
Target version:
3.1.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"

this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.

What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!

It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)

Thanks.

Files

Download all files
test_msg.pcap (156 Bytes) test_msg.pcap IRC Message that still goes through even if suprressed in threshold Guru Medidation, 07/27/2015 04:09 AM
threshold.config (212 Bytes) threshold.config Guru Medidation, 07/27/2015 04:10 AM

GM Updated by Guru Medidation over 10 years ago Actions
Copy link
 #1

suricata -V shows the following:
Suricata version 2.1dev (rev 5f63691)

But I have been using VictorJ GIT Next-v5 branch by the way

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #2

  • Assignee set to OISF Dev
  • Priority changed from High to Normal
  • Target version set to 3.0RC1

GM Updated by Guru Medidation over 10 years ago Actions
Copy link
 #3

I have attached a sample threshold.config and a single packet pcap file, enough to reproduce the issue.

I have also included 2 lines in the config file, one line that doesnt work (but should work) and one line that does work (and is commented)

GM Updated by Guru Medidation over 10 years ago Actions
Copy link
 #4

Problem also confirmed on
Suricata version 2.1dev (rev 834c366)

GM Updated by Guru Medidation over 10 years ago Actions
Copy link
 #5

Actually, none of the rules with more than 1 IP get suppressed. So nothing special with the IRC related rules. Just a problem with threshold.config handling multiple IPs in [ ]

GM Updated by Guru Medidation over 10 years ago Actions
Copy link Download all files
 #6

Updated with attachment

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #7

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #8

  • Target version changed from 3.0RC1 to 70

VJ Updated by Victor Julien about 10 years ago Actions
Copy link
 #9

  • Priority changed from Normal to High

AH Updated by Andreas Herz almost 10 years ago Actions
Copy link
 #10

You should have received this error:

<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_src, ip [192.168.1.10, 192.168.1.13, 192.168.1.20]

This triggers when you use space after comma, could you try this threshold:

suppress gen_id 1, sig_id 2002026, track by_src, ip [192.168.1.10,192.168.1.13,192.168.1.20]

That worked for me (with other IPs but same rules)

AH Updated by Andreas Herz almost 10 years ago Actions
Copy link
 #11

  • Status changed from Assigned to Closed

VJ Updated by Victor Julien almost 10 years ago Actions
Copy link
 #12

  • Assignee changed from Victor Julien to Andreas Herz
  • Priority changed from High to Normal
  • Target version changed from 70 to 3.1.1
Actions
Copy link

Also available in: PDF Atom