Actions
Bug #1515
closedProblem with Threshold.config when using more than one IP
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
I discovered some off behaviours with threshold.config when using more than one IP.
Here is how I can reproduce the problem and test each time, using this rule:
"suppress gen_id 1, sig_id 2002026, track by_src, ip [your_ip, another_ip]"
this rule gets ignored if there are more than one ip within the brackets [ ] . To trigger it I just join my own IRC channel and write garbage in it. With one [IP] I dont see any alert... with 2 [IP] the alerts occur.
What is odd is that:
a) This works fine with Snort
b) I have plenty more rules with more than one IP and they do not get ignored by Suricata!
It seems this is also a problem with many IRC related rule (from 2002023 to 2002028)
Thanks.
Files
Updated by Victor Julien over 9 years ago
- Assignee set to OISF Dev
- Priority changed from High to Normal
- Target version set to 3.0RC1
Updated by Guru Medidation over 9 years ago
- File test_msg.pcap test_msg.pcap added
- File threshold.config threshold.config added
Updated by Victor Julien over 9 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 8 years ago
- Assignee changed from Victor Julien to Andreas Herz
- Priority changed from High to Normal
- Target version changed from 70 to 3.1.1
Actions