Bug 12096

Summary: threshold.config is ignored
Product: IPFire Reporter: Horace Michael (aka H&M) <horace.michael>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: - Unknown - CC: arne.fitzenreiter, horace.michael, jneb1980, michael.tremer, peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 12052    

Description Horace Michael (aka H&M) 2019-06-14 09:22:17 UTC 
Hello,

After carefully monitoring /var/log/suricata/fast.log I ended up with conclusion that whatever supress rules are added in /var/lib/suricata/threshold.config these are ignored.

I did checked oinkmaster.conf and the line for skipping threshold.conf is commented:

# skipfile threshold.conf

Ex: I use an Cisco Meraki AP that constantly check Meraki cloud

Here is one suppress for traffic dome by Meraki equipments:

#Meraki uses  curl User-Agent Outbound - 209.206.58.5 seen in fast.logand SID  [1:2013028:4]
suppress gen_id 1, sig_id 2013028, track by_dst, ip 209.206.48.0/20


After more than a week with above supress rule, the fast.log still shows suricata blocking access to the Meraki cloud for the suppressed SID.
Examples for one entire day:

grep curl /var/log/suricata/fast.log
06/09/2019-00:07:20.470139  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41196 -> 209.206.58.5:80
06/09/2019-01:17:20.448397  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41226 -> 209.206.58.5:80
06/09/2019-02:24:06.120829  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41260 -> 209.206.58.5:80
06/09/2019-03:32:27.630445  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41306 -> 209.206.58.5:80
06/09/2019-04:37:39.230386  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41334 -> 209.206.58.5:80
06/09/2019-05:43:27.637144  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41362 -> 209.206.58.5:80
06/09/2019-06:47:15.419571  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41390 -> 209.206.58.5:80
06/09/2019-07:54:46.299543  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41418 -> 209.206.58.5:80
06/09/2019-08:58:34.541111  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41446 -> 209.206.58.5:80
06/09/2019-10:03:21.573281  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41474 -> 209.206.58.5:80
06/09/2019-11:09:41.265727  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41510 -> 209.206.58.5:80
06/09/2019-12:18:14.059065  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41542 -> 209.206.58.5:80
06/09/2019-13:26:28.229837  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41748 -> 209.206.58.5:80
06/09/2019-14:36:08.741069  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41948 -> 209.206.58.5:80
06/09/2019-15:45:06.339883  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42050 -> 209.206.58.5:80
06/09/2019-16:48:11.990484  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42150 -> 209.206.58.5:80
06/09/2019-17:57:49.116869  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42206 -> 209.206.58.5:80
06/09/2019-19:02:34.997594  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42290 -> 209.206.58.5:80
06/09/2019-20:08:35.783349  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42344 -> 209.206.58.5:80
06/09/2019-21:19:14.855000  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42396 -> 209.206.58.5:80
06/09/2019-22:22:15.954240  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42572 -> 209.206.58.5:80
06/09/2019-23:24:21.124110  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42614 -> 209.206.58.5:80
06/10/2019-00:34:20.547832  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42644 -> 209.206.58.5:80

Thank you,
Horace
Comment 1 Stefan Schantl 2020-01-30 12:58:57 UTC 
Patch has been sent to the development mailing list:

https://patchwork.ipfire.org/patch/2732/
Comment 2 Peter Müller 2020-03-07 09:46:14 UTC 
As far as I am concerned, this patch has never made it into ipfire-2.x.

Cc: Arne