Bug #1247
openUsing suppress in threshold.config does not prevent dropping
Description
I have suricata 2.0.2 running in inline/ips mode, with the following rule active:
drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8;)
So i have create a index.html for testing:
uid=0(root) gid=0(root) groups=0(root)
With small python server
python -m SimpleHTTPServer
I can trigger the rule by:
lynx http://10.0.20.89:8000/
The rule triggers, logs into fast.log etc. and also drops the attempt.
I put "suppress gen_id 1, sig_id 2100498" into the threshold.config and did restart suricata.
What i would have expected is that i see no logs and it won't be dropped.
The logs don't appear (i have fast.log, alert-debug.log, drop.log and http.log active) but it's dropped.
The same test in snort with the same suppress rule does not log and not drop.
I guess this might be a bug introduced in some newer version, since Victor Julien got the same issue working in 2012:
http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
And i would suggest the option to also use threshold.config within the dynamic rule reload, so it's not necessary to restart the whole suricata if you just added one line into the threshold.config.