Suricata

Hello,

Working on global thresholds, we came across this documentation stating it was possible to threshold rules using track by_rule and by_both:

threshold gen_id <gid>, sig_id <sid>, type <threshold|limit|both>, \
track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>

So we tried to configure thresholds this way:

threshold gen_id 1, sig_id 1000001, type limit, track by_rule, count 10, seconds 60

with a custom rule to match the sid in the threshold:

alert http any any -> any any (msg:"ALERT!"; sid:1000001;)

We then ran:

suricata -v -r /path/to/file.pcap (this can work with any pcap, provided that there is the protocol specified in the rule)

The threshold we wrote was taken into account but raised a parsing error because of the by_rule keyword.

28/4/2022 -- 10:11:22 - <Config> - Loading rule file: /etc/suricata/rules/local_all.rules
28/4/2022 -- 10:11:22 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
28/4/2022 -- 10:11:22 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , type limit, track by_rule, count 10, seconds 60
28/4/2022 -- 10:11:22 - <Info> - Threshold config parsed: 1 rule(s) found

The issue seems to come from the regex in the util-threshold-config.c file (DETECT_THRESHOLD_REGEX) which does not handle the by_rule and by_both keywords for the track field. When the regexp is adjusted, the feature seems to work as expected.

Thank you,
Best regards,
Hippolyte Cousin
Gatewatcher