Project

General

Profile

Actions

Bug #4377

closed

64 Character Limit on IP for thresholding.conf

Added by Josh Patterson almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi All,
This is Josh from the Security Onion team. We have recently upgraded to 6.0.1, and a user has reported an issue (https://github.com/Security-Onion-Solutions/securityonion/discussions/3248) with a character limit for the IP in thresholding.conf that didn't exist previously.

Previously, the following rule would work:
suppress gen_id 1, sig_id 2100371, track by_dst, ip 1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4,5.5.5.5,6.6.6.6,7.7.7.7,81.8.8.8

However, on 6.0.1, we receive an error in the log when running the same rule:
<Error> - [ERRCODE: SC_ERR_PCRE_COPY_SUBSTRING(325)] - pcre_copy_substring failed

Any insight on this issue would be greatly appreciated.

Thank you.


Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
Actions

Also available in: Atom PDF