From 19f0da8b3514f80a78c29b433f72871573d99ef2 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 15 Oct 2022 11:50:06 +0200
Subject: [PATCH] tests: add suppress tests

---
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  21 ++++++++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  21 ++++++++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  15 +++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 .../README.md                                 |   5 +++++
 .../input.pcap                                | Bin 0 -> 21263 bytes
 .../input.rules                               |   1 +
 .../suricata.yaml                             |  21 ++++++++++++++++++
 .../test.yaml                                 |  21 ++++++++++++++++++
 .../threshold.config                          |   1 +
 54 files changed, 405 insertions(+)
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ip/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ip/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml
 create mode 100644 tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config

diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/README.md b/tests/threshold/threshold-config-suppress-bydst-ip/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ip/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ip/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/input.rules b/tests/threshold/threshold-config-suppress-bydst-ip/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ip/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ip/test.yaml
new file mode 100644
index 000000000..58392f3a3
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ip/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ip/threshold.config
new file mode 100644
index 000000000..e74f87262
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ip/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml
new file mode 100644
index 000000000..58392f3a3
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config
new file mode 100644
index 000000000..20844fd5d
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/README.md b/tests/threshold/threshold-config-suppress-bydst-ipvar/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipvar/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml
new file mode 100644
index 000000000..c746f55ca
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml
new file mode 100644
index 000000000..58392f3a3
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config
new file mode 100644
index 000000000..c717f2a7e
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip $SUPPRESS
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/README.md b/tests/threshold/threshold-config-suppress-byeither-ip/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ip/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ip/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/input.rules b/tests/threshold/threshold-config-suppress-byeither-ip/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ip/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ip/test.yaml
new file mode 100644
index 000000000..11a7b5332
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ip/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ip/threshold.config
new file mode 100644
index 000000000..13aaba27c
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ip/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml
new file mode 100644
index 000000000..11a7b5332
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config
new file mode 100644
index 000000000..0f55909e5
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/README.md b/tests/threshold/threshold-config-suppress-byeither-ipvar/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipvar/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml
new file mode 100644
index 000000000..c746f55ca
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml
new file mode 100644
index 000000000..11a7b5332
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config
new file mode 100644
index 000000000..29d156306
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip $SUPPRESS
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/README.md b/tests/threshold/threshold-config-suppress-bysrc-ip/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ip/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ip/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ip/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml
new file mode 100644
index 000000000..65c1dea58
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config
new file mode 100644
index 000000000..7cd83dd7a
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml
new file mode 100644
index 000000000..ee5c3f004
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml
new file mode 100644
index 000000000..65c1dea58
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config
new file mode 100644
index 000000000..c6daa2b79
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md b/tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md
new file mode 100644
index 000000000..a9a4cbde0
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf5caebc47f844e06763725c8634e26762456f4e
GIT binary patch
literal 21263
zc-qZe+ixS+c^|JYwdp8cH*OFY0eUhU+mcPrkh-m;m1J{u_v*qdwcZUJV|zGrNRBz2
znVpL$F5JRFQ{*9ji1SdRMK6xs)^+P5KoJ;uNDvqP2aF;C@{p!2>K1651a91>C{Wn_
zzH?^C8Il@NT)B-FTFveJ&Ue1c?|kPn^S!tK>g#8uJEZ96!w)6tHu!t)(yLE=>$`VI
z%W#apAACsob^N_sT9c&weZ?oF=kI#)-(LLS<)0MadH3(evQla88y|cEQJgdK+}j_M
zq%(Ki`OVvIyW`Af0d1Y#-a!*M0#l$#(i4(;*Uz$ugosjUEPMYp{R$vH;QaC@-+B6n
z98Hg-%>u^kAlb(6TjjF7*CX2lfcQe`>_gvf>yi|q{K^@L|MsGs`K9~T5ap|92cmrH
zp>Mx_O_Da&_KB+7Ez7j2uGIaeNjCTQOKL$WjAb@$&tD*|R!d=iow<yfie@**GFLq2
z=883D!QCDEreT^?ol){+{HkFAmUn?%xj@2Wvb#@al)?qVtlX9I1>zno6qMNsvca^5
ztxo3i)A>SSYAjRKH0A)F&klX{uxVzg<Cum<eZ#i;&r#6F@G5^C&o10p$}98Y+%c(P
z@e6ZVqe*K_b*x%=^sK|8!<td$4^3ttRUhR?g-DLvHnnO2JhXsv2VRy5yqV4eYnEo~
zhE-c2wVQ^M)mhb~KI`0GsZ-Zu(4MXGUT$t~W<FQQ27Wa+$6?NAMSbVTGM5;0az)cP
zfU2hQ`LWE3ZCOmiW-gEh-lTYQEOVJv!36FCsr$aOpsKxQQFV5}OxtOKS-2s`GGiHZ
zk{`c+Z^za89C!S!KSakZ{7#SKzA*QV58p4HeUN<VGs4vx6Zc8Kcc;XEdr|Iu;jKSH
zlx*QBl*clX6!{eaqm#W$W0_S@*aF$F2U${>B0IE=ccw`pzfd^8P?#heJNsjqGII~G
z)kTMDbx^}L_59opsJ?129ZCl*3&r5J8<w8J(oh30y|z!mLh?M#7ieyJc78T@o=we6
zSMqteW2(zwYUVAFO50~1*S`-c%xyEP=GPZUVJ?3@pR|*2G?^XvONE&%Y0|@`La*Jr
z4|nnQ+YSreoBJ!#go`Y7Jp?Vb_&B&VfhK!^v?LdlybLZVd~Hd-vcI02lOJEsEPiHn
zZ)N}Ur8R<J8A3`|E^cqF5ILu+SEp7~b#;H0T-)5=*(Lx%%D!u8zN)V6%J8fVH$@B;
zavr~<=)NukDklIC!19*ln4h(#6x*$-h57k;QBKB(7EFpVF-s<$qh)|!tTU?P0UY{<
zZ?fgJ&`%f0YDhJUs<<Pb^8B{Rhz}ZClDUR7&yz`$=>}brsc8c2Jx>@-$98=ZxaPRr
zY~mwo<o~&;TwcL46Bh)a$`PSKY9z~I#n#(lb-HmtG?RMJNZ)qkNK{$@AzFs+*Fo?3
z{6jL)m}z?8cwF~+aqduEkIpN$t237$dO@>E-S(0k!Xcm=9pZ^j4j__iVAH0d>n4*s
zRblJk2}<fNt1ii^yu4^MYmtPeU9)AvwY4NiiX?Tr2?(C6Euk(1pD}ziH#?p4U21s>
z(3?!C>4Qj7RkPDFsWYQi_xbViB9yGb|1>73>g!3dL#a(x_2u3+be}}CPj(CqdY??*
zn<3mJOLD7j_$-H7g>bO!mP?%r@^aTN>N7(K<6;|x-a3{G@xcl;!^-g|AbRu8;e}f?
zWT*bB?KX);n^23#sH@e{NBz33FUbycm7r}N|B28^P_$Mvauve@0tn0ZRe?TpPprYQ
zvp&Z~aWGn9C=UTszxj{1rKJ|@Jhk{~GAa1*{rk78?_p};0^dg{DSZDj=lgt;@2l@c
zeE;_6Bq=6$<l3Uuymyk9%lu@4d*3}604g*u-g-6B{F5sq_N-w!fgd9nFtc$Jjti4=
zXwVjTfG3BN#2>GNrz6FQ$28lj8Z{mV0h~tGl~bE=Pdxf7w(r}`K{fFxmZLV+>`DMn
zTD?&YAuew40O#n5DCyMf_FqFKAt~~J5v(I59u#n0h)w}<!b`-}??FUYsEZwl!?`v_
zWt%`$A;By{1X?|1JO=#x9Pl;VN)$CL-?jCC2UO@VTd_+gfQ+c+q!Q@1=Bda`T7Wqf
zJz=#S9MkZ81lq>GqX1OtjZg#Y#m|ib(3=@Tqq<i(;G*i_e|?s<=)pk4o^zSWsK+2;
z_NrAwGoVYl99|kEp};v(z;ian5v1)9zI%8`N^p$cIyxE-Y9h4A1x7+MSq%ex8~>19
z+c&hZjR~cFCYK`@8T34)sFUg0xx?8!$>oyTq<Y1)wFauw(_F)eGm`o&J)q($^vi&j
zso8eTWY?*FT{8_Z6j>s&6I61OQ~CJ<{F|PeJ&#QN$)DYk#`hbX?|;(I_vSwGz4;x%
z_k}Oro5uHF=X|dw`QF@*`2ORUBx!1Pa$dd=6PqU;AT?+sepw_SaD6r(zl_$VypckC
z*QwV<(`?gruZvz9ADM-psj0sEHN3aZe|qnkhSk8kdH&OT7m~`OVbMHzcZ&bOT~!6k
zf~#<A9cN7NB~IXBPT&BCQ+-kqHF#}H4+ph8K@fLUuWq+MC!X>wc1f|CV$QZ^>F8>`
zJ{EZx&&Q&Rm;^HyQ~=$J0oh7w^kU{F!hOHaNaq314qS~97>O_vmM0WsFf7l96deXE
z1WXtW`?CP3lTGRa%(h_#hw3`hZI@<wnX+wC*YJo2QCMM6E`W=+MIcyVKm{?>$#Yw*
zLXh6D7(f}mN1BG~+ODUB@mHT-E(_6CKr|44T8NLs&4o-SjE@{O8#n@j9u?;m<mDZ#
z9V-+O-c!0$5~#{zzK~=POfi5{=<w-47!)FEMayuRPaTKp3LvT;(*oD<+u#XWgZVj)
zI)31?PR+++cg4aHn>bXfzLRXVyu866+^lwbGXV^8H04>Rw|!4ipvm;I*pilUbC7l}
z+3-Yq>AYp+E#8Da1DUk#9npAfrx$?KP`e6TiQ0g~uAw$<%kXU%(*3w5%Pj_}-9RMa
z?cmTg#_i&`_Omd$=aE@8AaE6@?mS*|?ZCMX5j8n8BZqFdj%8x~1N^QhJh9plHDMAI
zHzwO)M?|K6esV00sbAqttt6TH#<w_Af9gT<4>OV!6QR$Md&D@x*}4En_%Xta?#lwc
zrYk<U5VI7jDb!aDt7>~~uZ!CYG#Dls5yOT;w}rG#n}JJt=^pJ22!mL;o0<~PrqVnN
z!_Z6EmmM0KeN@>Ioj7thByOCJ^n4P_{Xz=&2z7x^52#`Car1#eGe@S1=cr{{+5z+w
zc+hUzfk#%JDr0pq0*>Z-=jYU&HJsGVtJg~ScZzIvx`$h%=9XbiO`aA(M_?ZvO%GSY
zaAX}}-3nz#7`H;)5yt5B-8JHAk$8mo3rFP<Q>SF+n>;iBaerps`ZQ+d^gl&r?lnH1
z#`mvszRxB3zV+!SGk^6^lKQlDL=X+zEga+Ar_(tMRmt#OL;`N4jv_S-hv+U+LU6cF
zqhr0(={g35PDJQo@-9+$q7sq3lM>hpMku#P<*w88PK(JytdEY!hpJ#W9uJ{zg~mgO
zTVe4KVssMknD4YWJOmt+$ecWLPIs<h87|%Gg9z?nVCtv-C3WWgNzV8G+RyjTJ&%0<
zg%>3WQMTmU)A;_6Ip6neG<fd$i0^;*c1b!p*$&g*;kh=BHWJmQMamFNdvufxN3@X-
zoes|)<=%YaLd=7l4zGFw?X;-13-{5n>#%hUN3dPATjAI)%B|3B7iDy&jT`i|$hM35
zi#z*qtRoLg<Hx$!=&33)^_%~dI`h8E`Tn2#`TmRVBHv%l3BLcIRwj+_|Ah1XV@baM
z;=2*w|JrXL-=Db2!;^Ur;7ELaOkfT{>8U|E9IMB?>U4;Ga3~$Ik~Y-5eA+TtcUu0U
zVNthD;#A@BX?2iFZ|8hF2Re5kOo<crD?KwlfCw;6+w+MNRiHp!d`{o8eTEb9UaWYN
zLUqhxVwRpA`pmT`?m9A!iVHe`M+{3d1KdwRHnxq5y0L%hu`J$pAX>6y7s95zyHm=N
z(#qvEu?VoSdxaENcgqUkeBKUtC3SiLmD?oRkr-cLK%ttXg0#e<Ygk{jRuIiciQOQH
z9Uq0B9UqfN?)X^rT~ev>b)O~qoCZJh^TKL=eL1qmq6#PBwQXB0-;8?`;<8va4>$kB
z7ykKHqoU)OxKhz{0#M?@V#NiH)5u<#T#MG;`^sbzdnh8(H>`%z$J2U64UL8jt#-F3
ztmE=mNziy_zfUiwPF)xj;w~#svC-Q69D`9_UggInycha8O515{<k9RP+630yii?bl
zm#Eo%e1f<7BHJsUti_mTR9M9T;gC~+qt(gz^Ye&&(HJb%K=4(-pcWTG9HJ+xe59Kq
z5Hhu~^RYCh{!`A>k0zP=%bU^6`*-f+dt!Q<6$P21b7463dEAGQd}1aP7qOYyf%+K)
zgj2xCSxKbu>dBx2YoJuo<<Xo1C#u(7#x9muBk$yf39p^pL8?%&;^|yst!Ajgnc?X1
z8v%nDj|6|%<EyoNZ=rLPQxB|qgIT_9lYOSuEue`SkRKO0yndV?9U*s(mlpkAsC-m(
zjsnlNZ!))=D~b&qC^M~%sP)Yfmw4X|W~a#&%NSPPZXXH4v>;9JnT7kN!lmm_>`FU_
zd!@RYGxN&4QkYeRwXcd|<SLXS<I_rB&*J{@32e!t7dXs?KTWX9a$!*w2k@6)AIdyo
z+crzND<@>sx)U5iOZYBcG=vf~;F_cJ8|sGNP>bCy=-BIDxpZ^{aWLvNFqP0*I!-Jn
zN&)jN$k=pdR(-`X(*bw6>LD{08(vaCHBSkAT347J9MjhFF-VL-;$>DCxTT`ebg&ih
zYMmYf=rA8b4Aaw_R87Z&p@(08*s6HWg<{o>m^vjh-{YD2KlNwkFT8=7`8E@o`6q6q
z&b+_I`F<kF_b<E=W#-@gZAk(lyS**A<#-d5moPQuSsCsQV<N4hTAhz|9`X40UV@uJ
zCbC%UqYlGDUYX2iNui+R#h=1R0eL+0Y+c;p;aS|eHbUngm?rXj3-lH)-Cl%C1h<hI
z2b>H0l@%K!2bOVQuyDXbjYBB^6pVl@iX6yy-23g&HmO)p)X_c2ZDEi=A%LLOJb+NX
zke;usY!_ot2}J=Q?%yeTb(6Kp23e_7)3zYlU(~#yRV7bT{~4k~WVSHn(i$jm&{!5b
zeU4zgNUvpeYCa#%+K)$*_~(_$iIZ!)PXhHfxqRy7(heUD3i%`HI~qH&PwW6sxwOH`
zcGV9PVsT;AzSP8Gxn_vMJ%w4SX4?(s^7U=Zji-Qy_?1q4jvHbF5_ADLt|Fdzn`2_A
zZfD2PT-%FU5Uq!gZ&^Mwvt(*A2YKrVMmT0YTwaDzB^@pT5Dt_2Lm$T1oGHX++U^MX
zI==-D45QD|+V0x5{maGC5)9~oFr!<?eO;WTxmLv06XzPxg+>`2j>rW{m*<>EfT@4}
z)6|*w66gDO`}zKBXOZtW;88@WKXX?a-~Sos`|%{-f9-6P-~ZNsOH!lexmqGaRxhs=
zS9jK;w5>DIJ7l)G2Nr|oa{YzJC-)*Wdn_sDuOMg#UW-*kew-9IB_TfE@}=!nNR4Te
z3ydcxiQ)LPo}S}j+?f>hRF}dqcE1#x4je*%AqR4C5{sHA)1vD%VZbe>1i4(ug6i7E
z_AYd>p>5#`jIwnUjf}hOMqs$iBQ@wJw28D%yh=@v)xkzQDzWERYw+LAxJ5RZ<r-uI
zFAom#)6WUc50{juiE`{J-C*`QvD01NTe&2xD(u`jJ$b0Ow$|u6UbtZ@QlRR4G!ZA_
z@=<~hthv0hN5*jy2@-VZJ*lZPmx?J79En|p+(yMfKf$mpCcdZHV#2i%SPjgRFguQp
zQO<=UY&8i<I~S#6t1d*)I^W9>k*MT+|76lon07GNi;1l!S9Z6qk-1dvL8gB5-n-NI
z{wdD)KkDcEmwe>=;vWdU|K8-?X?*`W=le&JeE*Uk<@eVizdzC?%NtwVrd#g+<LG);
znHepFqog@Xw!NCcr2u+khdB^|nogZY?{RHx@j0Bx#fA$56B>jiVsYDZZN$W{Gj}Bx
zAdy_IL)zcsOIDTk5^C>Z{xVl*F6aO!f|o_sTuSMok7uHCU=fiDwqaP;6f;BNDzD0u
z!4YCQuo8<X9jk=u57&_M1vOtFfddH_6Max%fqk(rXZmnSY^wC-Qt|T2X=bq9<&#7=
zK*r~?WPalRs+*fsW|RWSMKz8XDWRQuMyKWE73fp5WNzZvEd3~hi}33)`y5{)ndeIi
z)B?Q{97pjeT3PjucZ6Yly1XVl0S-pY=e)pU-Ch7rRDnz437s-nBgoXhuBNV${yAsr
zhm%bG`#*@7`mSG<B(B#`hyZ$Y*EoPc>3sSEr3C%@*Q0e{q2(QM#?{Ez&`i(nE~F_*
zWkzpFidDL;DrwsRX;^lP*j2Dnn^gK2?r^y+ngc>-%@Ri}!+E&a)`W@x%D3Y$q~S&1
zUg$VCr14J|_n(Oen!KELms4A`TINI!P_=Cz*Z#N>pDsK@)^I+m^CC_dTtti-LE1_?
zGuVCmBeOs5xI)E>q8GmSlNmY8Z$gTlD<}nJ8oUZmqM5}J@oEBZQYqwdcJ>qi{l;T4
z!2L^)-69}xk(rxOW|acqmEeTqh3`m>h>5EWp4D^!7wA&VBJ(xdFvIKgtN5`A;iE2o
zk_4A)d(HcZcXBzlcFX(4?QO-;tMalw;H6u9yDVJx<(K)1D_#eVOQqX9s5D$M?&Es|
z3CU0)Yhir#h87ZTE_@1uXOKr9|4b-$%kb;uMu1ChT+UnHAaKN+t$c$3ZYrZqzQ!!}
zTE+I15mF?eRM56-Fyy3gI~L(vdI)qT-7Ny3UKsntb)zV%$C1G`#6eVE(4#|Z5mTpR
z=2v-U{<r;^`74W<na_S-WajsjQ&(F5g7f`DNxpw&G2;7qQ<7Nh^^~4hxa0aLt*%EO
zTS1NB{9lLi@H0n`cw{3mbe7bP(Z^Vz9sa)fIZ%ffG!AfLKBKRUZ2ZA5B1ii|iZF0O
zAt5Sj*q^w-(Y^}^P3ktVZJ2(#78eG}Ukp3|_B^r!G>=DFctBG!Vo@*^h^HDiI-3~a
zz=bFfFR^CACG}K*PKL5&@dzyi71Pj!fDk94B+<HXD%4eKT7gei;MoQwJeT)&!qR*J
zFum+1YnjaVb3Ek-ZV)L{Tgl*{?U)uAATYShhD)8gp+(B$$x*4aA_^x;Jjtq{IqJGf
zCfx9mT0wH3NC+QJtELu25AK_ORWi}sS8Cbtp?G7`3*aLj*|%Lt0(IavoZP^46sHHc
zf$?`xVUH`3LTrHPf|~@!{=$L6y1PTc)cQ*lzh2ZJPuV8U?Hg7NiiU}Cy8U`aI#IQl
zk{(kKo+xgB5u*wJZ1<Jt&TDWpvE#Y!@y=Q{_F1%SCOXC!=ER<;=*qQHy6U>MXSm=+
z=<9gjka!MR3R)xHpLTif2730}p`REoRNy(d%mKqL=t!8G(m!E-$Xw1*VMpslOr65_
z*Erw*u%GW=dl~t@a04C!lz%tQNI!yN_}k0(x4rY$8_4(S-zWM0wU?ur_obJB??HQE
zciio539Z<`4jo2^RHcWvdy{DxBDh{kIz8}yXATU}a7!8{^h!9!TZfE8vt3uLCV49E
zK@&$_P^(3PVqU_Hg)h8gH$leH9~LXikjpHpmE}$&@OuKi?VLys8yL#*(Tp0xM&Vc3
zNHh5rwjzwFO#Bubeuu5w%c<hSTZ{awXUiG1_Rr7UndUQJ;6C$%exG@Lvvl^e51`M?
z0LoYPZcqEJ-Cy$W+I>0cGp~!?Soc3j7WICV0kT}@vV4DlEL&U_N0N$w^369>TU6mF
ke=`u}en7DW%FBP9Noi5|iOK1n7Ht92e_+<Ls7ccQ0%`jprvLx|

literal 0
Hc-jL100001

diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules
new file mode 100644
index 000000000..7cb862d41
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml
new file mode 100644
index 000000000..c746f55ca
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml
new file mode 100644
index 000000000..65c1dea58
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config
new file mode 100644
index 000000000..00a6571fe
--- /dev/null
+++ b/tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip $SUPPRESS
-- 
2.47.2