Threshold "track by_rule"


I am trying to threshold a rule that is triggering a lot of alerts. I tried the following:

threshold gen_id 1, sig_id 2010935, type threshold, track by_rule, count 5, seconds 60

Although, this is not working as the error suggests:

22/6/2022 -- 11:09:47 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , type threshold, track by_rule, count 5, seconds 60

Documentation does not explain in detail the definition of “track by_rule”. Can someone explain to me why this is not working?

Thank you!

This rule looks like it’s from ET Pro. If so, then the rule contains “rule threshold” limits.

There are two basic types of thresholds – “global” – these are specified in the threshold.config file used by Suricata. The other type is by rule keywords – these are specified in the definition of the rule (and is contained in the rule using the signature id you posted).

Global thresholds do not permit specification of by rule

This is from the default threshold.config:

# The syntax is the following:
  8 #
  9 # threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>

Here’s an example using by_rule in theshold.config

rate_filter gen_id 1, sig_id 1000, track by_rule, count 100, seconds 60,  new_action alert, timeout 30

Thank you for your reply. I will try to expose my questions into topics:

1 - This is a rule from ET OPEN ruleset that has rule keywords. I suppose that creating a global-threshold will overwrite the rule keywords?

2 - Can´t threshold using “track by_destination” or “track by_src” because the alert is always triggered from different sources. Is there any solution to this instead of suppressing? Event_filter did not work…

3 - My rules are being updated through “suricata-update” every day. So, changing the rule keywords will not work because the update will override the changes. Any possible solution?

Where to track the rule matches. When using by_src/by_dst the tracking is done per IP-address. The Host table is used for storage. When using by_rule it’s done globally for the rule. Option by_both used to track per IP pair of source and destination. Packets going to opposite directions between same addresses tracked as the same pair.

When applied to a specific signature, thresholds and event_filters (threshold from now on) will override the signature setting. This can be useful for when the default in a signature doesn’t suit your environment.

These sections from the docs and the following example seems to indicate that threshold should work with by_rule even if the rule has a threshold already.

threshold gen_id <gid>, sig_id <sid>, type <threshold|limit|both>, \
  track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>

@noob_17 this looks like related to threshold: fix regex to accept by_both and by_rule by catenacyber · Pull Request #7380 · OISF/suricata · GitHub and redmine issue Bug #5327: track by_rule|by_both incorrectly rejected for global thresholds - Suricata - Open Information Security Foundation

Without this PR, you cannot use track by_rule in a rule, but you can use it in threshold.config