Bug #2554
closedsuricata does not detect a web-attack
Description
Hello.
We use the IDS 4.1 suricata to test the rules and are faced with a problem where suricata does not detect a simple web-attack. The problem only appears when the rule is loaded as part of a set (test.rules). If you only load one test rule (_test.rules), then suricata detects a Web-attack.
The problem was reproduced on the versions 4.1.0-beta1 RELEASE and 4.0.5 RELEASE.
The problem is not reproduced on version 3.1 of RELEASE, that is, suricata detects an attack under any conditions.
Used OS Ubuntu 18.04 LTS.
Installing suricata: ./configure --prefix = / usr / --sysconfdir = / etc --disable-gccmarch-native -disable-coccinelle -enable-af-packet -enable-gccprotect -enable-jansson - enable-geoip --enable-luajit --enable-profiling
The configuration file was used the same for different versions of suricata.
If the test rule changes the protocol to tcp and removes http_uri, then the attack is detected under any conditions and on all versions.
Pcap with the attack was recorded using Breakigpoint. Initially, the tests were conducted using this tool. Suricata was started with the option -af-packet. Further tests were continued by playing pcap with the -r option.
Test rule sid: 4000334
Files
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version changed from 4.1beta1 to 4.1rc2
- Affected Versions deleted (
QA)
I can confirm the issue. It looks like sid 4000832 somehow influences 4000334. Perhaps others have the same effect. Looking into it.
Updated by Victor Julien over 6 years ago
- Related to Bug #2570: Signature affecting another's ability to detect and alert added
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed