Bug #1857
closedExtra character in alert signature msg in Suricata 3.0.1
Description
Verified the rule file has the msg field set as follows:
alert tcp $HOME_NET any -> any any (msg: "CrowdStrike MiniRandRAT Command error (TCP)"; classtype: trojan-activity; sid: 181510203; rev: 20160513;)
The output from Suricata into the eve.json shows the msg field content but with leading " which is very unexpected as shown here:
"signature":"\"CrowdStrike MiniRandRAT Command error (TCP)"
The extra \" at the beginning of the signature is the problem we are seeing. Not sure where the \" is coming from and this has blown alerts and filtering out of the water as we would expect. FYI: We have purchased this rule from a vendor so some of the logic in the rule has been removed but doesn't seem to impact the issue here as the signature is the incorrectly reported value at current.
Updated by Jason Ish almost 8 years ago
The issue is the space between the msg: and the leading quote for the message. Remove the space so you have 'msg:"CrowdStrike...' and your escaped quote should be gone.
This was fixed in 3.0.2 (https://github.com/inliniac/suricata/commit/2d4a6f154e80dc230638ad5f4d7912c32b42ba18)
And is also fixed in 3.1.1.
Updated by Josh Lane almost 8 years ago
Is this issue specific to CS rules or all rules for this particular bug?
Updated by Jason Ish almost 8 years ago
Josh Lane wrote:
Is this issue specific to CS rules or all rules for this particular bug?
Any rule with the extra space character.
Updated by Jason Ish almost 8 years ago
- Status changed from New to Closed
Closing as fixed in newer releases.