Project

General

Profile

Actions
Copy link

Bug #1515

closed

Problem with Threshold.config when using more than one IP

Added by Guru Medidation over 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Andreas Herz
Target version:
3.1.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"

this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.

What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!

It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)

Thanks.

Files

Download all files
test_msg.pcap (156 Bytes) test_msg.pcap IRC Message that still goes through even if suprressed in threshold Guru Medidation, 07/27/2015 04:09 AM
threshold.config (212 Bytes) threshold.config Guru Medidation, 07/27/2015 04:10 AM
Actions
Copy link

Also available in: Atom PDF