threshold.conf: reconcile current threshold.conf with current state of rules
Sometimes, Suricata will issue warnings for sids that used to exist, before.
8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule
It would be useful if it was possible to automatically true up what sids have been deleted from a threshold file, since suricata-update
is aware of the status of rules.
Currently, to achieve that, one would probably need to have a list of active/enabled sids and run that against their threshold contents.
This feature request arose from the discussion in:
[Edit by jish]
The idea here is Suricata-Update could be the owner of threshold.config, and modify as needed to provide a clean threshold.config to Suricata.
So Suricata-Update does already have some thresholding support, its just undocumented as its an artifact of the tool Suricata-Update was before it was Suricata-Update.
An example "threshold.config.in" would look something like: https://raw.githubusercontent.com/OISF/suricata-update/master/suricata/update/configs/threshold.in
In this case, it supports a normal threshold.config input, but also supports
re for regular expression expansion based on the current state of the rules. It wouldn't be that hard to strip out lines that have no matching SID in the active ruleset.
I had been planning on removing this at some point, as its untested these days, however I think bringing threshold.config under Suricata-Update control could be beneficial here.