Project

General

Profile

Actions

Bug #2570

closed

Signature affecting another's ability to detect and alert

Added by Bryant Smith about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

While creating some signatures I stumbled across an odd issue where when the first signature below doesn't allow the second one to detect the traffic in a pcap. The second signature alone can detect and generate an alert as long as the first one is commented out.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"Affects the second one!"; flow:established,to_server; content:"/something/else/"; sid:1111111; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"Affected by the 1st one!"; flow:established,to_server; content:"/goform/activate"; http_uri; pcre:"/(?:actserver|akey)=[^&]{500}/"; sid:2222222; rev:1;)

I tried narrowing it down to try and figure out what's going on. These were tested on both Ubuntu 16.04 running 4.0.5 and Ubuntu 18.04 running 4.1rc1.

Changes to sid:111111;
  1. Changed the content matches to something completely different - no affect
  2. Changed it from tcp to http - no affect
  3. Changed the port - Allow the second one to alert
  4. Add http_uri; - Allows the second one to alert
Changes to sid:222222;
  1. Added U to the pcre modifier - Allows the second one to alert
  2. Remove http_uri; from signature - Allows the second one to alert

Files

Signature_Error.pcap (2.21 KB) Signature_Error.pcap Bryant Smith, 08/07/2018 06:45 PM

Related issues

Related to Bug #2554: suricata does not detect a web-attackClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 3 years ago

  • Related to Bug #2554: suricata does not detect a web-attack added
Actions #2

Updated by Victor Julien about 3 years ago

  • Related to Bug #2522: The cross-effects of rules on each other, without the use of flowbits. added
Actions #3

Updated by Victor Julien about 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from Normal to High
  • Target version set to 4.1rc2

Thanks for your detailed report. It looks like there have been reported a few similar cases. I'm looking into it.

Actions #4

Updated by Victor Julien about 3 years ago

  • Related to deleted (Bug #2522: The cross-effects of rules on each other, without the use of flowbits.)
Actions #5

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF