64 Character Limit on IP for thresholding.conf
This is Josh from the Security Onion team. We have recently upgraded to 6.0.1, and a user has reported an issue (https://github.com/Security-Onion-Solutions/securityonion/discussions/3248) with a character limit for the IP in thresholding.conf that didn't exist previously.
Previously, the following rule would work:
suppress gen_id 1, sig_id 2100371, track by_dst, ip 184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11
However, on 6.0.1, we receive an error in the log when running the same rule:
<Error> - [ERRCODE: SC_ERR_PCRE_COPY_SUBSTRING(325)] - pcre_copy_substring failed
Any insight on this issue would be greatly appreciated.