Bug #967
closedthreshold rule clobbers suppress rules
Description
Adding a threshold rule clobbers any previous suppress rules. If this behavior is intended and not a bug, then it's highly counter-intuitive and should be clearly documented.
This works as expected (suppress alerts for 192.168.0.8 and limits other hosts to one alert per hour):
threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600 suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8
This does not suppress alerts for 192.168.0.8:
suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8 threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version changed from 1.4.5 to 1.4.6
"target version" is for indicating in which release something will be addressed.
Updated by Victor Julien over 10 years ago
- Target version changed from 1.4.6 to 2.0beta2
What is happening is that if a suppress rule encounters an existing threshold/suppress setting on the rule, it silently replaces that.
Our support for mixing rule thresholds with global thresholds is still rather limited, see Global-Thresholds and #425.
Updated by Anoop Saldanha over 10 years ago
I presume the aforementioned thing would also happen, if a threshold rule sees an existing threshold/suppress setting on a rule?
Updated by Victor Julien over 10 years ago
Anoop Saldanha wrote:
I presume the aforementioned thing would also happen, if a threshold rule sees an existing threshold/suppress setting on a rule?
For thresholding and detection_filters, indeed. No suppression can be set in the rule itself.
I have made a partial fix here: https://github.com/inliniac/suricata/pull/558, it splits suppress and threshold support. Suppressions can then be mixed with thresholds w/o limits and there can be many suppressions per rule. The issue with multiple thresholds per rule remains though.
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged the fix I mentioned. This addresses mixing suppress <-> suppress and suppress <-> threshold. For theshold <-> threshold there is still ticket #425.