Suricata and threshold.conf

[Ian Bowers]

I'm using suricata as my engine right now since snort was dropping backets at high bandwidths.  Works like a charm with one exception.  I can't seem to get threshold.conf to work.  I can disable rules with disablesid.conf just fine, but sometimes I want more granular control.  Like I tend to idle in IRC chatrooms on one of my servers, but I'd rather not disable IRC related rules that fire since I'd certainly want to know if any other hosts were chatting with C&C buddies.

I've confirmed threshold.conf is defined in suricata's config file, which I believe is by default:

threshold-file: /etc/nsm/linolea-ips1-eth1/threshold.conf

I've verified it's in the right place:

# ls -al /etc/nsm/linolea-ips1-eth1/threshold.conf

-rw-r--r-- 1 root root 2925 2012-04-17 12:41 /etc/nsm/linolea-ips1-eth1/threshold.conf

And in my google due diligence that, unless I misread, suricata should take the same threshold.conf that snort does with the same syntax.  An example line that's not working:

suppress gen_id 1, sig_id 2013031, track by_src, ip 192.168.2.216/32

I tried it both as the IP address on its own, and with the /32 in case it did an object validation and was expecting CIDR notation.  Neither variation worked.  For reference it seems to work fine with snort as the engine.  Security Onion like a dream other than this, hoping to get it nailed down since host based tuning is a big deal to me.

Regards,

-Ian

[Victor Julien]

The format is indeed the same so this should work. Can you look at the
start up log (where ever that is on SO) to see if the threshold rule is
properly loaded?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

[Ian Bowers]

[0][root@linolea-ips1:/etc/nsm/linolea-ips1-eth1]# grep -i threshold /var/log/nsm/linolea-ips1-eth1/suricata.log

-- signature parsing errors omitted --

17/4/2012 -- 16:16:56 - <Info> - Threshold config parsed: 6 rule(s) found

I uncommented any rules I'd temporarily disabled in disablesid.conf to run suricata side by side with snort on the same segment and verify I'm not seeing things.

-Ian 

[Doug Burks]

Hi Ian,

That's really strange. Suricata thresholding seems to work just fine
for me. Can you confirm that you're running the latest version of
Security Onion? And that you're running Suricata 1.2.1?

Thanks,
Doug

--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

[Ian Bowers]

I actually think it may be a layer 8 issue.  Thresholding seems to work just fine today, and when I ask the question "what changed?", I can't think of anything.  Thanks for jumping in and offering a hand though, guys.   it's nice knowing support will be there if I have an actual problem at some point.   

-Ian