Bug #1515
closedProblem with Threshold.config when using more than one IP
Description
Hi,
I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"
this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.
What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!
It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)
Thanks.
Files
Updated by Guru Medidation almost 10 years ago
suricata -V shows the following:
Suricata version 2.1dev (rev 5f63691)
But I have been using VictorJ GIT Next-v5 branch by the way
Updated by Victor Julien almost 10 years ago
- Assignee set to OISF Dev
- Priority changed from High to Normal
- Target version set to 3.0RC1
Updated by Guru Medidation almost 10 years ago
I have attached a sample threshold.config and a single packet pcap file, enough to reproduce the issue.
I have also included 2 lines in the config file, one line that doesnt work (but should work) and one line that does work (and is commented)
Updated by Guru Medidation almost 10 years ago
Problem also confirmed on
Suricata version 2.1dev (rev 834c366)
Updated by Guru Medidation almost 10 years ago
Actually, none of the rules with more than 1 IP get suppressed. So nothing special with the IRC related rules. Just a problem with threshold.config handling multiple IPs in [ ]
Updated by Guru Medidation over 9 years ago
- File test_msg.pcap test_msg.pcap added
- File threshold.config threshold.config added
Updated with attachment
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 9 years ago
- Target version changed from 3.0RC1 to 70
Updated by Andreas Herz almost 9 years ago
You should have received this error:
<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_src, ip [192.168.1.10, 192.168.1.13, 192.168.1.20]
This triggers when you use space after comma, could you try this threshold:
suppress gen_id 1, sig_id 2002026, track by_src, ip [192.168.1.10,192.168.1.13,192.168.1.20]
That worked for me (with other IPs but same rules)
Updated by Andreas Herz almost 9 years ago
- Status changed from Assigned to Closed
This is also addressed by https://github.com/inliniac/suricata/pull/2153
Updated by Victor Julien almost 9 years ago
- Assignee changed from Victor Julien to Andreas Herz
- Priority changed from High to Normal
- Target version changed from 70 to 3.1.1