Project

General

Profile

Actions

Bug #274

closed

Suppression rules parsing issue

Added by Dave Porcello over 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I’m running 1.0.2 stable on FreeBSD 7.1-RELEASE-p11 and have been having some issues with suppression using threshold.config. I have the following directive in my suricata.yaml:

threshold-file: /usr/local/etc/suricata/threshold.config

And here’s my threshold.config:

suppress gen_id 0, sig_id 0, track by_src, ip 10.99.0.0/16
suppress gen_id 0, sig_id 0, track by_dst, ip 10.99.0.0/16
suppress gen_id 0, sig_id 0, track by_src, ip 10.88.0.14
suppress gen_id 0, sig_id 0, track by_dst, ip 10.88.0.14
suppress gen_id 1, sig_id 2000328
suppress gen_id 1, sig_id 2003195

I’m trying to suppress all alerts involving the above subnets/IPs/rules, but I’m still receiving alerts for them. Example:

02/25/11-19:43:10.803231 [**] [1:653:9] GPL SHELLCODE x86 0x90 unicode NOOP [**] [Classification: Executable code was detected] [Priority: 3] {6} 10.88.0.35:3545 -> 10.99.0.133:80

And I see the following errors during Suricata startup:

[100164] 25/2/2011 -- 14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string suppress gen_id 1, sig_id 0, track by_src, ip 10.99.0.0/16
[100164] 25/2/2011 -
14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string suppress gen_id 1, sig_id 0, track by_dst, ip 10.99.0.0/16
[100164] 25/2/2011 -
14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string suppress gen_id 1, sig_id 0, track by_src, ip 10.88.0.14
[100164] 25/2/2011 -
14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string suppress gen_id 1, sig_id 0, track by_dst, ip 10.88.0.14
[100164] 25/2/2011 -
14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string suppress gen_id 1, sig_id 2000328
[100164] 25/2/2011 -
14:51:00 - (util-threshold-config.c:204) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string suppress gen_id 1, sig_id 2003195

This seems to relate to bug #172:
https://redmine.openinfosecfoundation.org/issues/172

Also confirmed to be an issue in 1.1beta1 and 1.0.1.

Actions #1

Updated by Victor Julien over 10 years ago

When looking at this in the code, I found this statement: "\todo Need to support suppress". So it's not supported currently. I'll try to get it added asap.

Actions #2

Updated by Victor Julien about 10 years ago

  • Status changed from New to Closed
  • Assignee changed from Victor Julien to Eric Leblond
  • Target version set to 1.1beta3
  • % Done changed from 0 to 100

Just applied Eric's patches for this. Thanks Eric.

Actions

Also available in: Atom PDF