https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022011-11-01T14:54:18ZOpen Information Security FoundationSuricata - Bug #366: suppress (threshold.config) does not work with "track by_src"https://redmine.openinfosecfoundation.org/issues/366?journal_id=13402011-11-01T14:54:18ZVictor Julienvictor@inliniac.net
<ul></ul><p>I tested with your settings and a pcap created from downloading that url and it works fine. Can you provide a real reproducible testcase with (small) pcaps?</p> Suricata - Bug #366: suppress (threshold.config) does not work with "track by_src"https://redmine.openinfosecfoundation.org/issues/366?journal_id=13412011-11-02T03:48:35ZPeter Manevpetermanev@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/663">suppresstest.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/663/suppresstest.pcap">suppresstest.pcap</a> added</li><li><strong>File</strong> <a href="/attachments/664">supress.rule</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/664/supress.rule">supress.rule</a> added</li><li><strong>File</strong> <a href="/attachments/665">threshold.config</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/665/threshold.config">threshold.config</a> added</li><li><strong>File</strong> <a href="/attachments/666">suricata.yaml</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/666/suricata.yaml">suricata.yaml</a> added</li></ul><p>Did some more testing and I think we have pinpointed the issue.</p>
suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.19<br />suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.20<br />#with the above 2 rules, if enabled both at the same time - it does not work as supposed (does not suppress the alert)
<ol>
<li>if we enable only one (or change the sig_id of one of the rules and enable both), it does work (alerts are suppressed) - the same situation below with "trck by_src"</li>
</ol>
<p>#if you enable both of the rules below - an alert would be generated with suppresstest.pcap (although it should not)<br />#if it is only one suppress rule enabled (82.96.58.41) - it works as expected - suppresses the alert<br />#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41<br />#suppress gen_id 1, sig_id 5001684, track by_src, ip 5.5.5.5</p>
<ol>
<li>with both below rules enabled - suricata works as expected (notice the difference between the sid_id)<br />#suppress gen_id 1, sig_id 1234567, track by_src, ip 5.5.5.5<br />#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41</li>
</ol>
<ol>
<li>so it actually (judging by the tests) comes down to the same sig_id value, if you have it more than once, it seems it is not working</li>
</ol>
<p>please find a 7 packet pcap attached along with a yaml conf file<br />The pcap has source ip - 82.96.58.41 and destination ip - 192.168.137.19</p>
<p>You can use repeatedly:<br />suricata -c /etc/suricata/suricata.yaml -s supress.rule -r suppresstest.pcap<br />to verify the issue.</p>
<p>thanks</p> Suricata - Bug #366: suppress (threshold.config) does not work with "track by_src"https://redmine.openinfosecfoundation.org/issues/366?journal_id=13432011-11-02T06:21:07ZVictor Julienvictor@inliniac.net
<ul><li><strong>Due date</strong> set to <i>11/02/2011</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Eric Leblond</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li><li><strong>Target version</strong> set to <i>1.1rc1</i></li><li><strong>Estimated time</strong> set to <i>3.00 h</i></li></ul><p>Thanks Peter, I was able to reproduce it today.</p>
<p>The issue is quite simple: per sid suppressions are stored in the signature itself. When checking a sig, only the last of the suppression settings of a signature is checked.</p>
<p>- SigGetThresholdType gets the last suppression.<br />- PacketAlertHandle uses that to check the suppression.</p>
<p>What needs to be done is that PacketAlertHandle loops all suppression settings in a signature.</p> Suricata - Bug #366: suppress (threshold.config) does not work with "track by_src"https://redmine.openinfosecfoundation.org/issues/366?journal_id=13492011-11-02T09:31:57ZEric Leblonderic@regit.org
<ul><li><strong>File</strong> <a href="/attachments/667">0001-threshold-introduce-SigGetThresholdTypeIter-function.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/667/0001-threshold-introduce-SigGetThresholdTypeIter-function.patch">0001-threshold-introduce-SigGetThresholdTypeIter-function.patch</a> added</li><li><strong>File</strong> <a href="/attachments/668">0002-threshold-fix-thresholding-on-signature-with-multipl.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/668/0002-threshold-fix-thresholding-on-signature-with-multipl.patch">0002-threshold-fix-thresholding-on-signature-with-multipl.patch</a> added</li><li><strong>% Done</strong> changed from <i>0</i> to <i>90</i></li></ul><p>Pull request send to Victor who will review the fixes. Thanks a lot for such a precise bug report and diagnostic! Patches attached to the ticket for reference or supplementary tests.</p> Suricata - Bug #366: suppress (threshold.config) does not work with "track by_src"https://redmine.openinfosecfoundation.org/issues/366?journal_id=13532011-11-02T12:50:30ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul><p>Patches applied, thanks Eric.</p>