Bug #967: threshold rule clobbers suppress rules - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #967

closed

threshold rule clobbers suppress rules

Added by Darrell Enns over 10 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

2.0beta2

Affected Versions:

Effort:

Difficulty:

Label:

Description

Adding a threshold rule clobbers any previous suppress rules. If this behavior is intended and not a bug, then it's highly counter-intuitive and should be clearly documented.

This works as expected (suppress alerts for 192.168.0.8 and limits other hosts to one alert per hour):

threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600
suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8

This does not suppress alerts for 192.168.0.8:

suppress gen_id 1, sig_id 2014726, track by_src, ip 192.168.0.8
threshold gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 3600

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #967

threshold rule clobbers suppress rules

Updated by Victor Julien over 10 years ago

Updated by Victor Julien over 10 years ago

Updated by Anoop Saldanha over 10 years ago

Updated by Victor Julien over 10 years ago

Updated by Victor Julien over 10 years ago