Bug #2482
closedHTTP connect: difference in detection rates between 3.1 and 4.0.x
Description
Note that this is a request for information. The issue appears to be resolved in 4.1.0-beta1 so the purpose of this case is to see if we can get confirmation this issue we are seeing was intentionally fixed in the 4.1.0 version and possibly the Redmine issue/bug number.
Summary:
When comparing Suricata 3.x to 4.0.x, we have been seeing a large difference in the alerts triggered on one specific rule. The 3.x versions (both 3.1 and 3.2.5) have significantly more detections than the 4.0.x (4.0.3 and 4.0.4) versions. I was able to create a packet capture that closely resembles the behavior and we could reproduce the differences easily with the capture.
Details:
The following Emerging Threats rule triggers many more alerts in version 3.x than it does in 4.0.x versions:
alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT"; http_method; classtype:bad-unknown; sid:2013933; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)
In the example capture attached, proxyCONNECT_443.pcap, there are 124 requests that should match this rule above. On the 3.x versions, there are 124 alerts generated. On 4.0.x versions, there are only 38.
There are not any threshold settings in the rule and we don't have any configured in the threshold.config file.
Steps to reproduce:
1. Using a vanilla Suricata config, change the HOME_NET to [10.0.0.0/8] and the EXTERNAL_NET to any. Then include a file with the rule above.
2. Run the packet capture proxyCONNECT_443.pcap through Suricata using the -r option.
Actual Results:
When using either 4.0.3 or 4.0.4, only 38 alerts are generated.
Expected Results:
Since there are 124 packets that should match the rule above, we expect that many alerts. This behavior is present on 3.x and 4.1.0.
Files