Feature #425
closedInspect the effects of mixing threshold and detection filters etc..
Added by Anoop Saldanha almost 13 years ago. Updated over 1 year ago.
Updated by Victor Julien over 12 years ago
- Target version changed from 1.4 to 1.4beta2
Currently we ignore threshold.conf entries if a rule already has thresholding set.
As the thresholds in a rule are a list, we could just start with allowing multiple entries. The matching engine should only return a match when all conditions are met. Conflicting conditions should be checked for then obviously.
Updated by Victor Julien over 12 years ago
- Tracker changed from Bug to Feature
- Status changed from New to Assigned
- Assignee changed from Anoop Saldanha to Victor Julien
Related to #455.
Updated by Victor Julien over 12 years ago
A signature with a threshold, e.g.:
alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)
Can be mixed with all types of global suppressions it seems. Tried:
suppress gen_id 1, sig_id 2002087, track by_src, ip xx suppress gen_id 0, sig_id 0, track by_src, ip xx suppress gen_id 1, sig_id 0, track by_src, ip xx suppress gen_id 1, sig_id 2002087
Updated by Victor Julien over 12 years ago
event_filter gen_id 1, sig_id 2002087, type limit, track by_src, count 1, seconds 3600
Should result in 1 alert, but gets 0.
Updated by Victor Julien over 12 years ago
I've added support for suppressing thresholded sigs, but the other globals from threshold.config are not yet supported for sigs with a threshold.
Updated by Victor Julien over 12 years ago
Added support for overriding per signature thresholds.
commit 82fc61770bd3cdeb5cf033bfa8f7dc2580ebffbc Author: Victor Julien <victor@inliniac.net> Date: Wed Sep 26 08:58:05 2012 +0200 threshold: allow threshold.config to override rule Allow threshold.conf to override rule thresholds in the following cases: - threshold.config rule uses threshold or event_filter AND - threshold.config rule applies to a single signature (so no gid 0 or sid 0) Confirmed to work with both threshold and detection_filter rule keywords. Part of bug #425.
Updated by Victor Julien about 12 years ago
- Target version changed from 1.4beta2 to 1.4beta3
Updated by Victor Julien about 12 years ago
- Target version changed from 1.4beta3 to 1.4rc1
Updated by Victor Julien about 12 years ago
- Target version changed from 1.4rc1 to 2.0rc2
- % Done changed from 0 to 40
Partly fixed for 1.4, work continues in 1.5.
Updated by Victor Julien about 11 years ago
- Priority changed from Normal to Low
Updated by Victor Julien almost 11 years ago
- Target version changed from 2.0rc2 to 3.0RC2
Updated by Victor Julien over 9 years ago
- Target version changed from 3.0RC2 to 70
Updated by Andreas Herz over 7 years ago
With rate_filter there is also a demand to override or combine the settings within the threshold.config and the used rules. This should match our documentation that when the ratelimit is reached the new_action should be applied and also needs to stay in that mode until timeout is reached. At the moment it's overriden by the threshold settings within the rule. (summary from discussion on the oisf-users ML with topic [Oisf-users] threshold.conf with rate_limit or drop rules in 9/2017)
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to New
- Assignee changed from Victor Julien to Community Ticket
- Priority changed from Low to Normal
- Target version changed from 70 to TBD
Unclear what would be left to do currently. Leaving it to the community to submit more usecases that we don't support right now.
Updated by Pavan Vachhani over 3 years ago
Hi,
I came across this issue while reading the documentation. I am trying to apply threshold to limit the number of events generated by each rule/signatures. So, tried adding threshold.config as below but it is seems it's not supported yet.
/etc/suricata/threshold.config
threshold gen_id 0, sig_id 0, type limit, track by_rule, count 1, seconds 10
/var/log/suricata/suricata.log
28/4/2021 -- 09:04:47 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , type limit, track by_rule, count 1, seconds 10 28/4/2021 -- 09:04:47 - <Info> - Threshold config parsed: 1 rule(s) found
I wanted to have a global threshold so that, logs aren't filled up with similar events from same signature in a short span like 10 seconds.
Is there any other way to do this?
Thanks!
Updated by Juliana Fajardini Reichow over 2 years ago
- Related to Task #5318: tests: craft an SV for rate_filter added
Updated by Philippe Antoine over 1 year ago
- Status changed from New to Closed
@Pavan Vachhani this works with Suricata 7
And I get Error: threshold-config: pcre2_match parse error, ret -1, string , type ttlimit, track by_rule, count 1, seconds 10 [ParseThresholdRule:util-threshold-config.c:726]
If I replace limit with ttlimit to induce the error
Feel free to reopen if you have still a problem