Project

General

Profile

Actions

Bug #2554

closed

suricata does not detect a web-attack

Added by Igor Vasilyev about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello.
We use the IDS 4.1 suricata to test the rules and are faced with a problem where suricata does not detect a simple web-attack. The problem only appears when the rule is loaded as part of a set (test.rules). If you only load one test rule (_test.rules), then suricata detects a Web-attack.
The problem was reproduced on the versions 4.1.0-beta1 RELEASE and 4.0.5 RELEASE.
The problem is not reproduced on version 3.1 of RELEASE, that is, suricata detects an attack under any conditions.
Used OS Ubuntu 18.04 LTS.
Installing suricata: ./configure --prefix = / usr / --sysconfdir = / etc --disable-gccmarch-native -disable-coccinelle -enable-af-packet -enable-gccprotect -enable-jansson - enable-geoip --enable-luajit --enable-profiling
The configuration file was used the same for different versions of suricata.
If the test rule changes the protocol to tcp and removes http_uri, then the attack is detected under any conditions and on all versions.
Pcap with the attack was recorded using Breakigpoint. Initially, the tests were conducted using this tool. Suricata was started with the option -af-packet. Further tests were continued by playing pcap with the -r option.
Test rule sid: 4000334


Files

CVE-2017-11512.pcap (1.28 KB) CVE-2017-11512.pcap Igor Vasilyev, 07/26/2018 12:42 PM
suricata.yaml (67.3 KB) suricata.yaml Igor Vasilyev, 07/26/2018 12:42 PM
classification.config (4.59 KB) classification.config Igor Vasilyev, 07/26/2018 12:42 PM
3.1.zip (9.3 KB) 3.1.zip logs for testing with a complete set of rules Igor Vasilyev, 07/26/2018 12:44 PM
3.1_2.zip (9.28 KB) 3.1_2.zip logs when testing with one rule Igor Vasilyev, 07/26/2018 12:44 PM
4.0.5.zip (7.84 KB) 4.0.5.zip logs for testing with a complete set of rules Igor Vasilyev, 07/26/2018 12:44 PM
4.0.5_2.zip (9.43 KB) 4.0.5_2.zip logs when testing with one rule Igor Vasilyev, 07/26/2018 12:44 PM
4.1.zip (21.2 KB) 4.1.zip logs for testing with a complete set of rules Igor Vasilyev, 07/26/2018 12:44 PM
4.1_2.zip (10.2 KB) 4.1_2.zip logs when testing with one rule Igor Vasilyev, 07/26/2018 12:45 PM
rules.zip (9.94 KB) rules.zip Igor Vasilyev, 07/26/2018 12:45 PM

Related issues 1 (0 open1 closed)

Related to Bug #2570: Signature affecting another's ability to detect and alertClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version changed from 4.1beta1 to 4.1rc2
  • Affected Versions deleted (QA)

I can confirm the issue. It looks like sid 4000832 somehow influences 4000334. Perhaps others have the same effect. Looking into it.

Actions #2

Updated by Victor Julien about 4 years ago

  • Related to Bug #2570: Signature affecting another's ability to detect and alert added
Actions #3

Updated by Victor Julien about 4 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF