Problem with Threshold.config when using more than one IP
I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"
this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.
What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!
It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)
Updated by Guru Medidation about 7 years ago
I have attached a sample threshold.config and a single packet pcap file, enough to reproduce the issue.
I have also included 2 lines in the config file, one line that doesnt work (but should work) and one line that does work (and is commented)
Updated by Andreas Herz over 6 years ago
You should have received this error:
<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_src, ip [192.168.1.10, 192.168.1.13, 192.168.1.20]
This triggers when you use space after comma, could you try this threshold:
suppress gen_id 1, sig_id 2002026, track by_src, ip [192.168.1.10,192.168.1.13,192.168.1.20]
That worked for me (with other IPs but same rules)