Actions
Bug #3463
closedFaulty signature with two threshold keywords does not generate an error and never match
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport
Description
alert http any any -> any any (msg:"CURL1"; flow:established,to_server; content:"GET"; http_method; content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; sid:1;) alert http any any -> any any (msg:"CURL2"; flow:established,to_server; content:"GET"; http_method; content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; threshold: type limit, track by_src, count 1 , seconds 60; sid:2;)
The first rule will trigger an alert, but the second one will not trigger an alert. The second one is faulty and contains two threshold fields. Rules that contains error is often listed in suricata.log and not loaded. It would be good if similar validation is performed on these cases.
Updated by Victor Julien almost 5 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Priority changed from Low to Normal
- Target version set to 6.0.0beta1
- Label Needs backport added
I think the threshold per rule is supposed to be just present once, so lets make sure we enforce that.
Updated by Jeff Lucovsky over 4 years ago
- Status changed from Assigned to Closed
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3579: Faulty signature with two threshold keywords does not generate an error and never match added
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match added
Actions