Bug #160

Thresholds don't seem to be honored for icmp traffic.

Added by Will Metcalf almost 8 years ago. Updated almost 8 years ago.

Target version:
Affected Versions:


When processing the attached pcap suricata generates 57789 events where snort only generates 2 one for each src of the traffic and contained in the pcap . It appears as if this happens because suricata does not honor thresholds for icmp traffic.

oisf alerted more times than snort sid: 2003292 oisf:57789 snort:2
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,; reference:url,; reference:url,; reference:url,; sid:2003292; rev:7;)
sandnetallaple.pcap.gz (1020 KB) sandnetallaple.pcap.gz Allaple ICMP Sweep ping outbound sandnet pcap Will Metcalf, 05/16/2010 01:28 PM


#1 Updated by Will Metcalf almost 8 years ago

Just as an update it looks like we were missing detection to this sig previous to the following commit. So thresholding for ICMP may have been broken for some time.

commit 21a89e22de34fe116f519460f871ca9813087bba
Author: Gurvinder Singh <>
Date: Fri May 14 16:18:45 2010 +0200

fixed the segv caused by null payload due to incorrect icmpv6 decoding

#2 Updated by Victor Julien almost 8 years ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • % Done changed from 0 to 100
  • Estimated time changed from 2.50 h to 0.00 h

Fixed in next master.

Also available in: Atom PDF