Project

General

Profile

Actions

Feature #425

closed

Inspect the effects of mixing threshold and detection filters etc..

Added by Anoop Saldanha almost 13 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Related issues 1 (0 open1 closed)

Related to Suricata - Task #5318: tests: craft an SV for rate_filterClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 12 years ago

  • Target version set to 1.4
Actions #2

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.4 to 1.4beta2

Currently we ignore threshold.conf entries if a rule already has thresholding set.

As the thresholds in a rule are a list, we could just start with allowing multiple entries. The matching engine should only return a match when all conditions are met. Conflicting conditions should be checked for then obviously.

Actions #3

Updated by Victor Julien over 12 years ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Assigned
  • Assignee changed from Anoop Saldanha to Victor Julien

Related to #455.

Actions #4

Updated by Victor Julien over 12 years ago

A signature with a threshold, e.g.:

alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)

Can be mixed with all types of global suppressions it seems. Tried:
suppress gen_id 1, sig_id 2002087, track by_src, ip xx
suppress gen_id 0, sig_id 0, track by_src, ip xx
suppress gen_id 1, sig_id 0, track by_src, ip xx
suppress gen_id 1, sig_id 2002087

Actions #5

Updated by Victor Julien over 12 years ago

event_filter gen_id 1, sig_id 2002087, type limit, track by_src, count 1, seconds 3600

Should result in 1 alert, but gets 0.
Actions #6

Updated by Victor Julien over 12 years ago

I've added support for suppressing thresholded sigs, but the other globals from threshold.config are not yet supported for sigs with a threshold.

Actions #7

Updated by Victor Julien over 12 years ago

Added support for overriding per signature thresholds.

commit 82fc61770bd3cdeb5cf033bfa8f7dc2580ebffbc
Author: Victor Julien <victor@inliniac.net>
Date:   Wed Sep 26 08:58:05 2012 +0200

    threshold: allow threshold.config to override rule

    Allow threshold.conf to override rule thresholds in the following
    cases:

    - threshold.config rule uses threshold or event_filter AND
    - threshold.config rule applies to a single signature (so no
      gid 0 or sid 0)

    Confirmed to work with both threshold and detection_filter rule
    keywords.

    Part of bug #425.
Actions #8

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4beta2 to 1.4beta3
Actions #9

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4beta3 to 1.4rc1
Actions #10

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4rc1 to 2.0rc2
  • % Done changed from 0 to 40

Partly fixed for 1.4, work continues in 1.5.

Actions #11

Updated by Victor Julien about 11 years ago

  • Priority changed from Normal to Low
Actions #12

Updated by Victor Julien almost 11 years ago

  • Target version changed from 2.0rc2 to 3.0RC2
Actions #13

Updated by Victor Julien over 9 years ago

  • Target version changed from 3.0RC2 to 70
Actions #14

Updated by Andreas Herz over 7 years ago

With rate_filter there is also a demand to override or combine the settings within the threshold.config and the used rules. This should match our documentation that when the ratelimit is reached the new_action should be applied and also needs to stay in that mode until timeout is reached. At the moment it's overriden by the threshold settings within the rule. (summary from discussion on the oisf-users ML with topic [Oisf-users] threshold.conf with rate_limit or drop rules in 9/2017)

Actions #15

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to New
  • Assignee changed from Victor Julien to Community Ticket
  • Priority changed from Low to Normal
  • Target version changed from 70 to TBD

Unclear what would be left to do currently. Leaving it to the community to submit more usecases that we don't support right now.

Actions #16

Updated by Pavan Vachhani over 3 years ago

Hi,
I came across this issue while reading the documentation. I am trying to apply threshold to limit the number of events generated by each rule/signatures. So, tried adding threshold.config as below but it is seems it's not supported yet.

/etc/suricata/threshold.config

threshold gen_id 0, sig_id 0, type limit, track by_rule, count 1, seconds 10

/var/log/suricata/suricata.log

28/4/2021 -- 09:04:47 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , type limit, track by_rule, count 1, seconds 10
28/4/2021 -- 09:04:47 - <Info> - Threshold config parsed: 1 rule(s) found

I wanted to have a global threshold so that, logs aren't filled up with similar events from same signature in a short span like 10 seconds.
Is there any other way to do this?
Thanks!

Actions #17

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to Task #5318: tests: craft an SV for rate_filter added
Actions #18

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to Closed

@Pavan Vachhani this works with Suricata 7

And I get Error: threshold-config: pcre2_match parse error, ret -1, string , type ttlimit, track by_rule, count 1, seconds 10 [ParseThresholdRule:util-threshold-config.c:726]

If I replace limit with ttlimit to induce the error

Feel free to reopen if you have still a problem

Actions

Also available in: Atom PDF