Project

General

Profile

Actions
Copy link

Bug #3579

closed
JL SB

Faulty signature with two threshold keywords does not generate an error and never match

Bug #3579: Faulty signature with two threshold keywords does not generate an error and never match

Added by Jeff Lucovsky about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Shivani Bhardwaj
Target version:
4.1.8
Affected Versions:
5.0.1
Effort:
Difficulty:
Label:

Description

alert http any any -> any any (msg:"CURL1"; flow:established,to_server; content:"GET"; http_method;  content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; sid:1;)
alert http any any -> any any (msg:"CURL2"; flow:established,to_server; content:"GET"; http_method;  content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; threshold: type limit, track by_src, count 1 , seconds 60; sid:2;)

The first rule will trigger an alert, but the second one will not trigger an alert. The second one is faulty and contains two threshold fields. Rules that contains error is often listed in suricata.log and not loaded. It would be good if similar validation is performed on these cases.

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3463: Faulty signature with two threshold keywords does not generate an error and never matchClosedJeff LucovskyActions

JL Updated by Jeff Lucovsky about 6 years ago Actions
Copy link
 #1

  • Copied from Bug #3463: Faulty signature with two threshold keywords does not generate an error and never match added

SB Updated by Shivani Bhardwaj almost 6 years ago Actions
Copy link
 #2

  • Priority changed from Normal to Immediate

SB Updated by Shivani Bhardwaj almost 6 years ago Actions
Copy link
 #3

  • Status changed from Assigned to In Review

SB Updated by Shivani Bhardwaj almost 6 years ago Actions
Copy link
 #4

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom