Project

General

Profile

Actions

Bug #1515

closed

Problem with Threshold.config when using more than one IP

Added by Guru Medidation about 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"

this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.

What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!

It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)

Thanks.


Files

test_msg.pcap (156 Bytes) test_msg.pcap IRC Message that still goes through even if suprressed in threshold Guru Medidation, 07/27/2015 04:09 AM
threshold.config (212 Bytes) threshold.config Guru Medidation, 07/27/2015 04:10 AM
Actions #1

Updated by Guru Medidation about 7 years ago

suricata -V shows the following:
Suricata version 2.1dev (rev 5f63691)

But I have been using VictorJ GIT Next-v5 branch by the way

Actions #2

Updated by Victor Julien about 7 years ago

  • Assignee set to OISF Dev
  • Priority changed from High to Normal
  • Target version set to 3.0RC1
Actions #3

Updated by Guru Medidation about 7 years ago

I have attached a sample threshold.config and a single packet pcap file, enough to reproduce the issue.

I have also included 2 lines in the config file, one line that doesnt work (but should work) and one line that does work (and is commented)

Actions #4

Updated by Guru Medidation about 7 years ago

Problem also confirmed on
Suricata version 2.1dev (rev 834c366)

Actions #5

Updated by Guru Medidation about 7 years ago

Actually, none of the rules with more than 1 IP get suppressed. So nothing special with the IRC related rules. Just a problem with threshold.config handling multiple IPs in [ ]

Updated by Guru Medidation about 7 years ago

Updated with attachment

Actions #7

Updated by Victor Julien about 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #8

Updated by Victor Julien almost 7 years ago

  • Target version changed from 3.0RC1 to 70
Actions #9

Updated by Victor Julien over 6 years ago

  • Priority changed from Normal to High
Actions #10

Updated by Andreas Herz over 6 years ago

You should have received this error:

<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_src, ip [192.168.1.10, 192.168.1.13, 192.168.1.20]

This triggers when you use space after comma, could you try this threshold:

suppress gen_id 1, sig_id 2002026, track by_src, ip [192.168.1.10,192.168.1.13,192.168.1.20]

That worked for me (with other IPs but same rules)

Actions #11

Updated by Andreas Herz about 6 years ago

  • Status changed from Assigned to Closed
Actions #12

Updated by Victor Julien about 6 years ago

  • Assignee changed from Victor Julien to Andreas Herz
  • Priority changed from High to Normal
  • Target version changed from 70 to 3.1.1
Actions

Also available in: Atom PDF