Bug #1927
closedrate_filter not working as expected - references to bug #425
Description
When introducing rate_filter in threshold.config, certain rules can not be rate filtered due to bug #425.
I wish to rate limit the alerts raised from a Suricata sensor in front of a honeypot, particularly the ET rules 2001219 and 2019876. However, it seems bug #425 prevents modifying the alert behaviour.
This is my threshold.config extract:
rate_filter gen_id 1, sig_id 2019876, track by_src, count 2, seconds 600, new_action pass, timeout 3600
rate_filter gen_id 1, sig_id 2001219, track by_src, count 2, seconds 600, new_action pass, timeout 3600
emerging-scan.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20;)
alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh.softwareversion:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:4;)
sid-msg.map (if useful):
2001219 || ET SCAN Potential SSH Scan || url,doc.emergingthreats.net/2001219 || url,en.wikipedia.org/wiki/Brute_force_attack
2019876 || ET SCAN SSH BruteForce Tool with fake PUTTY version
When restarting, the following messages appears in Suricata's suricata.log:
19/10/2016 -- 08:44:51 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2019876 has a threshold set. The signature event var is given precedence over the threshold.conf one. Bug #425.
19/10/2016 -- 08:44:51 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2001219 has a threshold set. The signature event var is given precedence over the threshold.conf one. Bug #425.
During normal operations, the alerts appear more often than I would like (hence the need for a working rate_filter). Below is a redacted log extract:
10/19/2016-10:32:35.979516 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:17633 -> 10.10.10.10:22
10/19/2016-10:33:14.594325 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:20640 -> 10.10.10.10:22
10/19/2016-10:33:55.053070 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:22975 -> 10.10.10.10:22
10/19/2016-10:34:37.779504 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:16226 -> 10.10.10.10:22
10/19/2016-10:35:23.671759 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.10:60761 -> 10.10.10.10:22
10/19/2016-10:35:26.331930 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:60761 -> 10.10.10.10:22
10/19/2016-10:36:03.940098 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:14664 -> 10.10.10.10:22
10/19/2016-10:36:44.941403 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:52592 -> 10.10.10.10:22
10/19/2016-10:37:22.424189 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:50077 -> 10.10.10.10:22
10/19/2016-10:38:02.597054 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.10:24414 -> 10.10.10.10:22
10/19/2016-10:38:04.763336 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:24414 -> 10.10.10.10:22
10/19/2016-10:38:44.839945 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:23111 -> 10.10.10.10:22
10/19/2016-10:39:19.451033 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.10:64639 -> 10.10.10.10:22
10/19/2016-10:39:20.260406 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:64639 -> 10.10.10.10:22
10/19/2016-10:39:58.014941 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:51726 -> 10.10.10.10:22
10/19/2016-10:40:45.485108 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:48769 -> 10.10.10.10:22
10/19/2016-10:41:19.864826 [**] [1:2019876:4] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 116.31.116.10:51618 -> 10.10.10.10:22
Attached is a (redacted) pcap that triggers the alerts I would want to rate limit.
Files
Updated by Andreas Herz over 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
What version of suricata are you running?
Would changing the rules be a valid workaround for that issue?
Updated by Andreas Herz over 6 years ago
- Status changed from New to Closed
Closed due to no response