Project

General

Profile

Bug #4377

64 Character Limit on IP for thresholding.conf

Added by Josh Patterson 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi All,
This is Josh from the Security Onion team. We have recently upgraded to 6.0.1, and a user has reported an issue (https://github.com/Security-Onion-Solutions/securityonion/discussions/3248) with a character limit for the IP in thresholding.conf that didn't exist previously.

Previously, the following rule would work:
suppress gen_id 1, sig_id 2100371, track by_dst, ip 1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6,7.7.7.7,81.8.8.8

However, on 6.0.1, we receive an error in the log when running the same rule:
<Error> - [ERRCODE: SC_ERR_PCRE_COPY_SUBSTRING(325)] - pcre_copy_substring failed

Any insight on this issue would be greatly appreciated.

Thank you.


Related issues

Is duplicate of Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
#1

Updated by Jeff Lucovsky 4 months ago

  • Is duplicate of Bug #2190: apparent 1000 character limit in threshold.conf IP lists added
#2

Updated by Jeff Lucovsky 4 months ago

  • Status changed from New to Closed

Also available in: Atom PDF