Suricata Suppress Rules Not Working

Rules
,
1

I’m having issues passing the Suricata -T configuration test using this entry in the /etc/suricata/threshold.config file:
suppress gen_id 1, sig_id 2013028, track by_dst, ip 169.254.169.254
Specifically, I’m getting the error:
<Error> -- pcre2_match parse error, ret -1, string , track by_dst, ip '169.254.169.254'
I’m using Suricata version 7.0.5.

Any help would be greatly appreciated.

2

Unfortunately I can’t reproduce this:

❯ cat threshold.config                                            
suppress gen_id 1, sig_id 2013028, track by_dst, ip 169.254.169.254

❯ ./src/suricata -v -c suricata.yaml -T -l . -S emerging-all.rules
Notice: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 16
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: suricata: Preparing unexpected signal handling
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: classification-config: Added "43" classification types from the classification file
Info: reference-config: Added "19" reference types from the reference.config file
Info: detect: 1 rule files processed. 35714 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 1 rule(s) found
Info: detect: 35717 signatures processed. 0 are IP-only rules, 4862 are inspecting packet payload, 30824 inspect application layer, 0 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.

Can you share your full suricata.yaml and threshold.config?

3

Maybe it’s the quotes around '169.254.169.254'

4

Hmmm. There are no quotes in the original config line

suppress gen_id 1, sig_id 2013028, track by_dst, ip 169.254.169.254

and I copied that one literally into my threshold.config.
I think the quotes are added in the error message.

5

Whoops, ya, I see it now.