Project

General

Profile

Actions

Support #2436

closed

pcre_exec error

Added by K Lopez about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I'm trying to disable rules in the threshold.conf file. I use the example in the comments, and it throws an error, and doesn't suppress the rule. I'm not sure what I could be missing, but it's not behaving normally.

[ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string suppress gen_id 1, sid_id 2100366
5/2/2018 -- 12:44:02 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string suppress gen_id 1, sid_id 2100368
Actions #1

Updated by Victor Julien about 6 years ago

  • Description updated (diff)

Can you paste your threshold.conf?

Actions #2

Updated by K Lopez about 6 years ago

Sure thing. I scrubbed the IPs.

  1. Thresholding: #
  2. This feature is used to reduce the number of logged alerts for noisy rules.
  3. Thresholding commands limit the number of times a particular event is logged
  4. during a specified time interval. #
  5. The syntax is the following: #
  6. threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t> #
  7. event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t> #
  8. suppress gen_id <gid>, sig_id <sid>
  9. suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet> #
  10. The options are documented at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds #
  11. Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
  12. and global thresholds is documented here:
  13. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
  1. Limit to 10 alerts every 10 seconds for each source host
    #threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10
  1. Limit to 1 alert every 10 seconds for signature with sid 2404000
    #threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 10
  1. Avoid to alert on f-secure update
  2. Example taken from http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
    #suppress gen_id 1, sig_id 2009557, track by_src, ip 172.16.1.0/25
    #suppress gen_id 1, sig_id 2012086, track by_src, ip 172.16.1.0/25
    #suppress gen_id 1, sig_id 2003614, track by_src, ip 172.16.1.0/25
  3. ignore scanning by external fw scanner
    suppress gen_id 1, sid_id 2001219, track by_src, ip 131.144.2.151
  4. ignore bots
    #suppress gen_id 0, sid_id 0, track by_src, ip 192.168.0.1
    #suppress gen_id 0, sid_id 0, track by_src, ip 192.168.1.0/24
    #suppress gen_id 0, sid_id 0, track by_src, ip 172.16.0.0/24
  5. there are too many CnC nodes contacted via DNS
    #suppress gen_id 0, sid_id 0, track by_src, ip 172.16.0.0/26
    suppress gen_id 1, sid_id 2100366
    suppress gen_id 1, sid_id 2100368
Actions #3

Updated by Victor Julien about 6 years ago

Those last 'sid_id' should be 'sig_id' I think.

Actions #4

Updated by Andreas Herz about 6 years ago

  • Tracker changed from Bug to Support
  • Assignee set to Anonymous
  • Target version set to Support
Actions #5

Updated by K Lopez about 6 years ago

That was the problem! User error.

Actions #6

Updated by Andreas Herz about 6 years ago

  • Status changed from New to Closed

Great :)

Actions

Also available in: Atom PDF