Suricata

1.We should be defaulting s->gid to 1 sometime during rule parsing. Currently we only set this properly for alerts inside of src/detect-engine-alert.c. Failing to default this to 1 causes proper use of the threshold.config file to fail as currently all gid's default to 0.

2.We should include an example of how to specify the use of a threshold.config file in suricata.yaml i.e.
threshold-file: /etc/suricata/threshold.config

3.All of the examples from the snort manual and from the doc/README.filters show multi-line examples using "\" we don't seem to properly parse multi-line entries in this file.
[17475] 4/6/2010 -- 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string event_filter \
[17475] 4/6/2010 - 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string gen_id 1, \
[17475] 4/6/2010 - 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string sig_id 2003292, \
[17475] 4/6/2010 - 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret 1, string type both, \
[17475] 4/6/2010 - 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string track by_src, \

[17475] 4/6/2010 -- 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string count 1, \

[17475] 4/6/2010 -- 12:54:43 - (util-threshold-config.c:177) <Error> (SCThresholdConfAddThresholdtype) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string seconds 60