Bug #1515
closedProblem with Threshold.config when using more than one IP
Description
Hi,
I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"
this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.
What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!
It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)
Thanks.
Files
Updated by Guru Medidation over 9 years ago
suricata -V shows the following:
Suricata version 2.1dev (rev 5f63691)
But I have been using VictorJ GIT Next-v5 branch by the way
Updated by Victor Julien over 9 years ago
- Assignee set to OISF Dev
- Priority changed from High to Normal
- Target version set to 3.0RC1
Updated by Guru Medidation over 9 years ago
I have attached a sample threshold.config and a single packet pcap file, enough to reproduce the issue.
I have also included 2 lines in the config file, one line that doesnt work (but should work) and one line that does work (and is commented)
Updated by Guru Medidation over 9 years ago
Problem also confirmed on
Suricata version 2.1dev (rev 834c366)
Updated by Guru Medidation over 9 years ago
Actually, none of the rules with more than 1 IP get suppressed. So nothing special with the IRC related rules. Just a problem with threshold.config handling multiple IPs in [ ]
Updated by Guru Medidation over 9 years ago
- File test_msg.pcap test_msg.pcap added
- File threshold.config threshold.config added
Updated with attachment
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien about 9 years ago
- Target version changed from 3.0RC1 to 70
Updated by Victor Julien almost 9 years ago
- Priority changed from Normal to High
Updated by Andreas Herz over 8 years ago
You should have received this error:
<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_src, ip [192.168.1.10, 192.168.1.13, 192.168.1.20]
This triggers when you use space after comma, could you try this threshold:
suppress gen_id 1, sig_id 2002026, track by_src, ip [192.168.1.10,192.168.1.13,192.168.1.20]
That worked for me (with other IPs but same rules)
Updated by Andreas Herz over 8 years ago
- Status changed from Assigned to Closed
This is also addressed by https://github.com/inliniac/suricata/pull/2153
Updated by Victor Julien over 8 years ago
- Assignee changed from Victor Julien to Andreas Herz
- Priority changed from High to Normal
- Target version changed from 70 to 3.1.1