[Oisf-users] Threshold.conf not working

Anoop Saldanha anoopsaldanha at gmail.com
Fri Jan 18 15:19:57 UTC 2013 

Open the rule file containing sig 2404037 and remove the threshold
keyword from the rule.  You'd see the suppression working post that.
The reason the suppression from the conf file didn't work for you is
because you had a threshold keyword in your rule which would override
the conf file entry for the same sig.

>From what Victor just told, the behaviour's been changed from our 1.4 release.

On Fri, Jan 18, 2013 at 8:37 AM, Josh Brower <joshbrower at gmail.com> wrote:
> I apologize, but I am not sure what you mean, when you say "Can you remove
> the threshold filter from the rule and check if the suppression works?"
>
> Thanks
>
> -Josh
>
>
> On Tue, Jan 8, 2013 at 1:36 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> IIRC, if we have a event filter set *in* the rule, it would override
>> the event filter set inside the conf file.
>>
>> From what you're describing, the behaviour hasn't been changed,
>> although it was on our cards.  Thought it had been changed.
>>
>> Can you remove the threshold filter from the rule and check if the
>> suppression works?
>>
>>
>> On Mon, Jan 7, 2013 at 7:35 PM, Josh Brower <Josh at defensivedepth.com>
>> wrote:
>> > My SOSERVER was doing a (legit) NTP lookup via that IP....
>> >
>> > Is it possible that this bug is the cause of the issue?
>> > https://redmine.openinfosecfoundation.org/issues/613
>> >
>> > -Josh
>> >
>> >
>> > On Mon, Jan 7, 2013 at 8:52 AM, Matt Jonkman <jonkman at jonkmans.com>
>> > wrote:
>> >>
>> >> I don't have any ideas on why the suppress isn't working, hopefully
>> >> someone else may have an idea there.
>> >>
>> >> I'm chasing down that false positive though. Looks like that IP is an
>> >> irc
>> >> server as well which is probably where it got listed in the
>> >> shadowserver
>> >> feed. Will ping them to see if they're ok removing it.
>> >>
>> >> Matt
>> >>
>> >>
>> >> On Sun, Jan 6, 2013 at 3:05 PM, Josh Brower <joshbrower at gmail.com>
>> >> wrote:
>> >>>
>> >>> I am using Suricata with the latest version of Security Onion (12.04),
>> >>> which uses Suricata 1.3.3.  I have threshold.conf with 18 entries.  I
>> >>> have
>> >>> verified that Suricata loaded those 18 rules on startup ("Threshold
>> >>> config
>> >>> parsed: 18 rule(s) found")
>> >>>
>> >>> But I still get alerts firing for these entries... For example, in my
>> >>> threshold.conf:
>> >>>
>> >>> #Suppress - ET CNC Shadowserver Reported CnC Server IP (group 38)  for
>> >>> SOSERVER- False Positive - 12/12
>> >>>
>> >>>  suppress gen_id 1, sig_id 2404037, track by_dst, ip 72.8.140.222
>> >>>
>> >>> I restart Suricata, and I still get this alert firing for the dst IP
>> >>> of
>> >>> 72.8.140.222.
>> >>>
>> >>> What should I tshoot next?
>> >>>


-- 
Anoop Saldanha

More information about the Oisf-users mailing list