Project

General

Profile

Actions

Feature #2553

closed

support 'by_both' in threshold rule keyword

Added by David Lam over 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

I am trying the new track "by_both" option for rule thresholding (https://github.com/OISF/suricata/pull/3056), but this option does not appear to work properly.
To test this option, I had created some test rules as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CUSTOM: HTTP Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100005; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CUSTOM: SSL Port Scan / DoS Abuse"; flow:to_server; flags: S; threshold: type both, track by_both, count 5, seconds 30; sid:4100006; nfq_set_mark:0x10/0x10;)
alert tcp $HOME_NET any -> 50.56.19.116 80 (msg:"CUSTOM: TEST RULE"; flow:to_server; flags: S; sid:4100007;)

However, the "DoS Abuse" rule does not appear to be firing even though more than 5 SYNs have been seen by Suricata, as the log shows by me trying some rapid replays:
07/24/2018-20:34:51.916020 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51722 -> 50.56.19.116:80
07/24/2018-20:34:52.312409 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51723 -> 50.56.19.116:80
07/24/2018-20:34:52.616974 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51724 -> 50.56.19.116:80
07/24/2018-20:34:53.155103 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51727 -> 50.56.19.116:80
07/24/2018-20:34:53.423048 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51728 -> 50.56.19.116:80
07/24/2018-20:34:53.673993 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51729 -> 50.56.19.116:80
07/24/2018-20:34:53.919133 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51732 -> 50.56.19.116:80
07/24/2018-20:34:54.729542 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51733 -> 50.56.19.116:80
07/24/2018-20:34:54.984724 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51734 -> 50.56.19.116:80
07/24/2018-20:34:55.216626 [**] [1:4100007:0] CUSTOM: TEST RULE [**] [Classification: (null)] [Priority: 3] {TCP} 10.9.0.2:51735 -> 50.56.19.116:80

However, if I change the by_both option to by_src, then the rule would match successfully. This suggests to me that somehow the by_both option may not be working properly. This was tested on Suricata 4.0.5.

Thoughts?

Actions

Also available in: Atom PDF