Threshold rule without tracking by source or destination

Hello,

Is it possible to threshold a specific rule without specifying the track_by src | dst field?

Thanks.

Yes, use “track by_rule”

https://suricata.readthedocs.io/en/suricata-6.0.0/rules/thresholding.html

But i can´t use that syntax in the global threshold.config file, right?

The docs says you actually can, however the syntax in threshold.conf might be slightly different

Take a look here: 10.2. Global-Thresholds — Suricata 6.0.0 documentation

I am getting this error:

21/11/2022 -- 11:33:57 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , type limit, track by_rule, count 5, seconds 300

Rule is looking like this:

threshold gen_id 1, sig_id 2010935, type limit, track by_rule, count 5, seconds 300

Seems to be a bug in the latest version. In the beta version seems to be resolved. Is it possible to resolve in the stable version?

If by beta version you mean version 7, this will be promoted to stable probably in the coming months

What version are you running exactly? Can you output suricata --build-info?
If it’s a real bug in 6.0.8 it’s still the stable and supported branch and changes are high that it would be fixed there as well. But first it needs to be verified.

Now i am running the 7.0.0-beta. Installed 5 minutes ago and the issue seems to be gone, without changing anything in the rule. Error is gone.

I was using the 6.0.8 version

Please post the config file and how you run it with 6.0.8 so we can verify that it’s an actual bug in 6.0.8

The suricata.yaml? Can i send it to you via private message?

You can remove sensitive parts and post it here, so others can try to help as well.

suricata.yaml (74.3 KB)

Here it is