Bug #214
closed
Fail to alert on sid 2009800
Added by Josh Smith almost 14 years ago.
Updated almost 14 years ago.
Description
Suricata fails to alert on sid 2009800.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; uricontent:"ShowCount="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009800; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009800; rev:3;)
Files
Seems to fire for me will load it the test rid to see if it's consistent.
when using this with the attached emerging-all.rules file we seem to alert but it is very inconsistent. For me locally we only fire on this sig 1 out of 10 times, but the http request is logged everytime.
src/.libs/lt-suricata -c suricata.yaml -s emerging-all.rules -l ./ -r 2009800.pcap
alert noalert
1 9
Logs the http request everytime..
07/16/10-18:48:19.703262 www.domain.tld [**] /manage.old/sun/signup.aspx?MACAddresses=MACShowCount= [**] Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) [**] 192.168.1.1:34598 -> 1.1.1.1:80
- Status changed from New to Closed
- % Done changed from 0 to 100
Should be fixed by commit 0d008c8135a76f0d22cf0fc6f9276ef93385c89a
Also available in: Atom
PDF