Feature #2553
closedsupport 'by_both' in threshold rule keyword
Description
I am trying the new track "by_both" option for rule thresholding (https://github.com/OISF/suricata/pull/3056), but this option does not appear to work properly.
To test this option, I had created some test rules as follows:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CUSTOM: HTTP Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100005; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CUSTOM: SSL Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100006; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> 50.56.19.116 80 (msg:"CUSTOM: TEST RULE"; flow:to_server; flags: S; sid:4100007;)
However, the "DoS Abuse" rule does not appear to be firing even though more than 5 SYNs have been seen by Suricata, as the log shows by me trying some rapid replays:
07/24/2018-20:34:51.916020 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51722 -> 50.56.19.116:80
07/24/2018-20:34:52.312409 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51723 -> 50.56.19.116:80
07/24/2018-20:34:52.616974 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51724 -> 50.56.19.116:80
07/24/2018-20:34:53.155103 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51727 -> 50.56.19.116:80
07/24/2018-20:34:53.423048 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51728 -> 50.56.19.116:80
07/24/2018-20:34:53.673993 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51729 -> 50.56.19.116:80
07/24/2018-20:34:53.919133 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51732 -> 50.56.19.116:80
07/24/2018-20:34:54.729542 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51733 -> 50.56.19.116:80
07/24/2018-20:34:54.984724 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51734 -> 50.56.19.116:80
07/24/2018-20:34:55.216626 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51735 -> 50.56.19.116:80
However, if I change the by_both option to by_src, then the rule would match successfully. This suggests to me that somehow the by_both option may not be working properly. This was tested on Suricata 4.0.5.
Thoughts?
Updated by Victor Julien over 6 years ago
This is a new feature in the 4.1 branch, so it's not part of 4.0.5. Did you not get parsing errors?
Updated by David Lam over 6 years ago
No parsing errors - didn't realize it wasn't in 4.0.5 yet - will give 4.1 a try - thanks.
Updated by David Lam over 6 years ago
Okay, looks like I am seeing the signature errors if I run suricata in the foreground (instead of the daemon service) - in 4.1rc1, it's still displaying these:
26/7/2018 -- 01:20:06 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 26/7/2018 -- 01:20:06 - <Notice> - rule reload starting 26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string type both, track by_both, count 5, seconds 30 26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CUSTOM: HTTP Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100005; nfq_set_mark:0x10/0x10;)" from file /usr/share/suricata/rules/CUSTOM.rules at line 13 26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string type both, track by_both, count 5, seconds 30 26/7/2018 -- 01:20:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CUSTOM: SSL Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100006; nfq_set_mark:0x10/0x10;)" from file /usr/share/suricata/rules/CUSTOM.rules at line 14 26/7/2018 -- 01:20:11 - <Info> - 31 rule files processed. 16081 rules successfully loaded, 2 rules failed
Is this feature only in the final 4.1 version?
Updated by Victor Julien over 6 years ago
- Tracker changed from Bug to Feature
- Subject changed from Threshold Track by_both Not Matching to support 'by_both' in threshold rule keyword
- Assignee deleted (
Ruslan Usmanov) - Target version set to TBD
- Effort set to low
- Difficulty set to medium
- Affected Versions deleted (
4.0.5)
I've checked the code and it seems 'by_both' is only implemented in one place: the rate_filter keyword that you can use in the threshold.config. So the above is expected behavior.
I'll change this into a feature ticket so it can be addressed.
Updated by Todd Mortimer about 5 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Todd Mortimer
Addressed in #2694
Updated by Todd Mortimer over 4 years ago
- Status changed from Assigned to Resolved
Updated by David Lam over 4 years ago
Hi Todd - I just got an email saying it was resolved. Which version was this implemented in? Thanks.
Updated by Todd Mortimer over 4 years ago
David Lam wrote in #note-9:
Hi Todd - I just got an email saying it was resolved. Which version was this implemented in? Thanks.
It was merged in this PR: https://github.com/OISF/suricata/pull/4760 and tagged with 6.0.
Updated by Victor Julien over 4 years ago
- Status changed from Resolved to Closed
- Target version changed from TBD to 6.0.0beta1