Bug #2554
closed
suricata does not detect a web-attack
Added by Igor Vasilyev over 5 years ago.
Updated over 5 years ago.
Description
Hello.
We use the IDS 4.1 suricata to test the rules and are faced with a problem where suricata does not detect a simple web-attack. The problem only appears when the rule is loaded as part of a set (test.rules). If you only load one test rule (_test.rules), then suricata detects a Web-attack.
The problem was reproduced on the versions 4.1.0-beta1 RELEASE and 4.0.5 RELEASE.
The problem is not reproduced on version 3.1 of RELEASE, that is, suricata detects an attack under any conditions.
Used OS Ubuntu 18.04 LTS.
Installing suricata: ./configure --prefix = / usr / --sysconfdir = / etc --disable-gccmarch-native -disable-coccinelle -enable-af-packet -enable-gccprotect -enable-jansson - enable-geoip --enable-luajit --enable-profiling
The configuration file was used the same for different versions of suricata.
If the test rule changes the protocol to tcp and removes http_uri, then the attack is detected under any conditions and on all versions.
Pcap with the attack was recorded using Breakigpoint. Initially, the tests were conducted using this tool. Suricata was started with the option -af-packet. Further tests were continued by playing pcap with the -r option.
Test rule sid: 4000334
Files
|
CVE-2017-11512.pcap (1.28 KB)
CVE-2017-11512.pcap |
|
Igor Vasilyev, 07/26/2018 12:42 PM
|
|
|
suricata.yaml (67.3 KB)
suricata.yaml |
|
Igor Vasilyev, 07/26/2018 12:42 PM
|
|
|
classification.config (4.59 KB)
classification.config |
|
Igor Vasilyev, 07/26/2018 12:42 PM
|
|
|
3.1.zip (9.3 KB)
3.1.zip |
logs for testing with a complete set of rules |
Igor Vasilyev, 07/26/2018 12:44 PM
|
|
|
3.1_2.zip (9.28 KB)
3.1_2.zip |
logs when testing with one rule |
Igor Vasilyev, 07/26/2018 12:44 PM
|
|
|
4.0.5.zip (7.84 KB)
4.0.5.zip |
logs for testing with a complete set of rules |
Igor Vasilyev, 07/26/2018 12:44 PM
|
|
|
4.0.5_2.zip (9.43 KB)
4.0.5_2.zip |
logs when testing with one rule |
Igor Vasilyev, 07/26/2018 12:44 PM
|
|
|
4.1.zip (21.2 KB)
4.1.zip |
logs for testing with a complete set of rules |
Igor Vasilyev, 07/26/2018 12:44 PM
|
|
|
4.1_2.zip (10.2 KB)
4.1_2.zip |
logs when testing with one rule |
Igor Vasilyev, 07/26/2018 12:45 PM
|
|
|
rules.zip (9.94 KB)
rules.zip |
|
Igor Vasilyev, 07/26/2018 12:45 PM
|
|
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version changed from 4.1beta1 to 4.1rc2
- Affected Versions deleted (
QA)
I can confirm the issue. It looks like sid 4000832 somehow influences 4000334. Perhaps others have the same effect. Looking into it.
- Related to Bug #2570: Signature affecting another's ability to detect and alert added
- Status changed from Assigned to Closed
Also available in: Atom
PDF