Project

General

Profile

Actions
Copy link

Bug #3463

closed

Faulty signature with two threshold keywords does not generate an error and never match

Added by Odin Jenseg over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
6.0.0beta1
Affected Versions:
5.0.1
Effort:
Difficulty:
Label:
Needs backport

Description

alert http any any -> any any (msg:"CURL1"; flow:established,to_server; content:"GET"; http_method;  content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; sid:1;)
alert http any any -> any any (msg:"CURL2"; flow:established,to_server; content:"GET"; http_method;  content:"curl"; http_user_agent; threshold: type limit, track by_src, count 1 , seconds 60; threshold: type limit, track by_src, count 1 , seconds 60; sid:2;)

The first rule will trigger an alert, but the second one will not trigger an alert. The second one is faulty and contains two threshold fields. Rules that contains error is often listed in suricata.log and not loaded. It would be good if similar validation is performed on these cases.

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #3579: Faulty signature with two threshold keywords does not generate an error and never matchClosedShivani BhardwajActions
Copied to Suricata - Bug #3580: Faulty signature with two threshold keywords does not generate an error and never matchClosedJeff LucovskyActions
Actions
Copy link

Also available in: Atom PDF