Project

General

Profile

Actions

Feature #2553

closed

support 'by_both' in threshold rule keyword

Added by David Lam over 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

I am trying the new track "by_both" option for rule thresholding (https://github.com/OISF/suricata/pull/3056), but this option does not appear to work properly.
To test this option, I had created some test rules as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CUSTOM: HTTP Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100005; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CUSTOM: SSL Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100006; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> 50.56.19.116 80 (msg:"CUSTOM: TEST RULE"; flow:to_server; flags: S; sid:4100007;)

However, the "DoS Abuse" rule does not appear to be firing even though more than 5 SYNs have been seen by Suricata, as the log shows by me trying some rapid replays:
07/24/2018-20:34:51.916020 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51722 -> 50.56.19.116:80
07/24/2018-20:34:52.312409 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51723 -> 50.56.19.116:80
07/24/2018-20:34:52.616974 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51724 -> 50.56.19.116:80
07/24/2018-20:34:53.155103 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51727 -> 50.56.19.116:80
07/24/2018-20:34:53.423048 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51728 -> 50.56.19.116:80
07/24/2018-20:34:53.673993 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51729 -> 50.56.19.116:80
07/24/2018-20:34:53.919133 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51732 -> 50.56.19.116:80
07/24/2018-20:34:54.729542 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51733 -> 50.56.19.116:80
07/24/2018-20:34:54.984724 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51734 -> 50.56.19.116:80
07/24/2018-20:34:55.216626 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51735 -> 50.56.19.116:80

However, if I change the by_both option to by_src, then the rule would match successfully. This suggests to me that somehow the by_both option may not be working properly. This was tested on Suricata 4.0.5.

Thoughts?

Actions #1

Updated by Victor Julien over 6 years ago

This is a new feature in the 4.1 branch, so it's not part of 4.0.5. Did you not get parsing errors?

Actions #2

Updated by David Lam over 6 years ago

No parsing errors - didn't realize it wasn't in 4.0.5 yet - will give 4.1 a try - thanks.

Actions #3

Updated by David Lam over 6 years ago

Okay, looks like I am seeing the signature errors if I run suricata in the foreground (instead of the daemon service) - in 4.1rc1, it's still displaying these:

26/7/2018 -- 01:20:06 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
26/7/2018 -- 01:20:06 - <Notice> - rule reload starting
26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string type both, track by_both, count 5, seconds 30
26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CUSTOM: HTTP Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100005; nfq_set_mark:0x10/0x10;)" from file /usr/share/suricata/rules/CUSTOM.rules at line 13
26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string type both, track by_both, count 5, seconds 30
26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CUSTOM: SSL Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100006; nfq_set_mark:0x10/0x10;)" from file /usr/share/suricata/rules/CUSTOM.rules at line 14
26/7/2018 -- 01:20:11 - <Info> - 31 rule files processed. 16081 rules successfully loaded, 2 rules failed

Is this feature only in the final 4.1 version?

Actions #4

Updated by Victor Julien over 6 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Threshold Track by_both Not Matching to support 'by_both' in threshold rule keyword
  • Assignee deleted (Ruslan Usmanov)
  • Target version set to TBD
  • Effort set to low
  • Difficulty set to medium
  • Affected Versions deleted (4.0.5)

I've checked the code and it seems 'by_both' is only implemented in one place: the rate_filter keyword that you can use in the threshold.config. So the above is expected behavior.

I'll change this into a feature ticket so it can be addressed.

Actions #5

Updated by Victor Julien over 6 years ago

  • Assignee set to Anonymous
Actions #6

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Community Ticket
Actions #7

Updated by Todd Mortimer about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Todd Mortimer

Addressed in #2694

Actions #8

Updated by Todd Mortimer over 4 years ago

  • Status changed from Assigned to Resolved
Actions #9

Updated by David Lam over 4 years ago

Hi Todd - I just got an email saying it was resolved. Which version was this implemented in? Thanks.

Actions #10

Updated by Todd Mortimer over 4 years ago

David Lam wrote in #note-9:

Hi Todd - I just got an email saying it was resolved. Which version was this implemented in? Thanks.

It was merged in this PR: https://github.com/OISF/suricata/pull/4760 and tagged with 6.0.

Actions #11

Updated by David Lam over 4 years ago

Awesome thanks.

Actions #12

Updated by Victor Julien over 4 years ago

  • Status changed from Resolved to Closed
  • Target version changed from TBD to 6.0.0beta1
Actions

Also available in: Atom PDF