Project

General

Profile

Actions

Bug #2482

closed

HTTP connect: difference in detection rates between 3.1 and 4.0.x

Added by Eric Urban almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Note that this is a request for information. The issue appears to be resolved in 4.1.0-beta1 so the purpose of this case is to see if we can get confirmation this issue we are seeing was intentionally fixed in the 4.1.0 version and possibly the Redmine issue/bug number.

Summary:
When comparing Suricata 3.x to 4.0.x, we have been seeing a large difference in the alerts triggered on one specific rule. The 3.x versions (both 3.1 and 3.2.5) have significantly more detections than the 4.0.x (4.0.3 and 4.0.4) versions. I was able to create a packet capture that closely resembles the behavior and we could reproduce the differences easily with the capture.

Details:
The following Emerging Threats rule triggers many more alerts in version 3.x than it does in 4.0.x versions:
alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT"; http_method; classtype:bad-unknown; sid:2013933; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

In the example capture attached, proxyCONNECT_443.pcap, there are 124 requests that should match this rule above. On the 3.x versions, there are 124 alerts generated. On 4.0.x versions, there are only 38.

There are not any threshold settings in the rule and we don't have any configured in the threshold.config file.

Steps to reproduce:
1. Using a vanilla Suricata config, change the HOME_NET to [10.0.0.0/8] and the EXTERNAL_NET to any. Then include a file with the rule above.
2. Run the packet capture proxyCONNECT_443.pcap through Suricata using the -r option.

Actual Results:
When using either 4.0.3 or 4.0.4, only 38 alerts are generated.

Expected Results:
Since there are 124 packets that should match the rule above, we expect that many alerts. This behavior is present on 3.x and 4.1.0.


Files

proxyCONNECT_443.pcap (11.1 MB) proxyCONNECT_443.pcap Eric Urban, 04/11/2018 04:31 PM
Actions #1

Updated by Eric Urban almost 6 years ago

For the record, I looked through https://redmine.openinfosecfoundation.org/versions/105 but couldn't seem to find one that stood out as the culprit.

Actions #2

Updated by Eric Urban almost 6 years ago

Actually I may have found the answer with https://redmine.openinfosecfoundation.org/issues/2430.

Actions #3

Updated by Victor Julien almost 6 years ago

  • Assignee set to Victor Julien
  • Priority changed from Low to Normal
  • Target version set to 4.0.5

I can confirm the issue. I've been able to backport the 4.1-fix into the 4.0.x branch so it will be fixed in the next update.

Actions #4

Updated by Victor Julien almost 6 years ago

  • Status changed from New to Assigned
Actions #5

Updated by Victor Julien almost 6 years ago

  • Tracker changed from Support to Bug
  • Subject changed from Request for information: Difference in detection rates between 3.1 and 4.0.x to HTTP connect: difference in detection rates between 3.1 and 4.0.x
Actions

Also available in: Atom PDF