Project

General

Profile

Actions

Bug #455

closed

Suppression not working with "track by_src"

Added by Ian Bowers over 9 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This was addressed in ticket #386, but still appears to be a problem in version 1.2.1

Thresholding for a particular SID with source IP address specified:
[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# grep 108.59.1.205 /etc/nsm/linolea-ips1-eth1/threshold.conf
suppress gen_id 1, sig_id 2406000, track by_src, ip 108.59.1.205
suppress gen_id 1, sig_id 2406001, track by_src, ip 108.59.1.205

Threshold file is properly specified:
[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# grep threshold-file /etc/nsm/*/suricata.yaml
  1. You can specify a threshold config file by setting "threshold-file"
    threshold-file: /etc/nsm/linolea-ips1-eth1/threshold.conf

9 items in file:
grep -v ^# /etc/nsm/linolea-ips1-eth1/threshold.conf | wc -l
9

And they all get parsed:
[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# grep Threshold /var/log/nsm/*/suricata.log
23/4/2012 -- 07:02:26 - <Info> - Threshold config parsed: 9 rule(s) found

But the sigs still fire despite the suppression rules (last few are after suricata reload):
[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# grep 108.59.1.205 /nsm/sensor_data/linolea-ips1-eth1/fast.log | tail -n 5
04/23/2012-06:53:04.622886 [**] [1:2406000:281] ET RBN Known Russian Business Network IP (1) [**] [Classification: (null)] [Priority: 3] {UDP} 108.59.1.205:53 -> 192.168.254.254:25436
04/23/2012-15:00:06.685215 [**] [1:2406000:281] ET RBN Known Russian Business Network IP (1) [**] [Classification: (null)] [Priority: 3] {UDP} 108.59.1.205:53 -> 192.168.254.254:24410
04/23/2012-17:01:30.156676 [**] [1:2406000:281] ET RBN Known Russian Business Network IP (1) [**] [Classification: (null)] [Priority: 3] {UDP} 108.59.1.205:53 -> 192.168.254.254:5213
04/23/2012-19:01:51.862718 [**] [1:2406000:281] ET RBN Known Russian Business Network IP (1) [**] [Classification: (null)] [Priority: 3] {UDP} 108.59.1.205:53 -> 192.168.254.254:21632
04/23/2012-21:03:23.455593 [**] [1:2406000:281] ET RBN Known Russian Business Network IP (1) [**] [Classification: (null)] [Priority: 3] {UDP} 108.59.1.205:53 -> 192.168.254.254:43299

So the file is referenced, the right number of lines is getting parsed by suricata, and signature, IP, and directionality all satisfy the suppression rule. The same lines fed to snort do suppress the alerts.

Suricata is above the version referenced in the last ticket:
[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# suricata
23/4/2012 -- 21:16:41 - <Info> - This is Suricata version 1.2.1 RELEASE
23/4/2012 -- 21:16:41 - <Info> - CPUs/cores online: 4
-- SNIP --

I'm happy to attach any files or perform any tests to help.


Files

Actions

Also available in: Atom PDF