Bug #2522
closedThe cross-effects of rules on each other, without the use of flowbits.
Description
There is an opportunity to influence the operation of one rule by another, even if they are not unified by flowbits. This happens if the signature is affected, use both http and tcp buffers, and in the signature of which we will act, use the stream.
An eerie action at a distance stops, if in the signature of which we manage add "no_stream". Or, place all checks in the managed signature in the http buffers.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "test1"; flow: established, to_server; content: "Accept-Encoding: identity"; <- place here "http_header" for disable effect content: "data="; http_client_body; depth:5; classtype: misc-activity; sid: 1; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "test2"; flow: established, to_server; <- or place here "no_stream" content: "|6c55554503104840|"; offset:4;depth:8; classtype: misc-activity; sid: 2; rev: 1;)
Pcap in attachment.
This is Suricata version 4.1.0-beta1 RELEASE
Files
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Victor Julien
Updated by Victor Julien over 6 years ago
- Related to Bug #2570: Signature affecting another's ability to detect and alert added
Updated by Victor Julien over 6 years ago
This seems to be an interaction between the stream and client body inspection. The client body is not inspected until app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size is reached. This defaults to 32k. As the http_client_body pattern is the MPM, this means that the signature is not evaluated until the body reaches 32k (or is complete).
At the same time, the sid 2 is evaluated against the raw stream and it moves the 'raw stream progress' forward. The point in the stream were it starts doing this is determined by stream.reassembly.toserver-chunk-size, which defaults to ~2.5k.
The reason 'no_stream' works is that with this option sid 2 doesn't touch the stream progress tracker.
The reason 'http_header' works is that this makes sid 1 independent from the stream tracker.
In IPS mode this all works very differently and the effect is not observed. Both stream inspection and http body inspection is much more instantaneous, at the cost of some performance.
I'm thinking about ways to improve this, but in general when possible, do use the http_* keywords as much as possible.
Updated by Victor Julien over 6 years ago
- Related to deleted (Bug #2570: Signature affecting another's ability to detect and alert)
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Target version set to 4.1rc2
I've created a solution where the body is inspected earlier together with raw stream data. The 'min inspect size' will still be respected in the sense that the body tracker won't move forward until we've reached it. So some reinspection will happen in this case.
Updated by Victor Julien about 6 years ago
I've done a new implementation where the rescanning is no longer needed: https://github.com/OISF/suricata/pull/3486
Updated by Victor Julien about 5 years ago
- Related to Bug #3190: file_data inspection inhibited by additional (non-file_data) content match rule added