Suricata

@Peter, can you try to reproduce this issue?

I'm including the ruleset I used, in case one rule was fired but a different rule was reported.

I generated a pcap from the Wireshark text dump.
Continuing to explore the issue...

cd /etc/suricata/rules
mv snort.rules snort.rules.bak
grep 2008100 snort.rules.bak >snort.rules
suricata -c /etc/suricata/suricata.yaml -r /tmp/issue283.pcap

The above did not trigger an alert. However, when I run suricata against eth0, I can consistently reproduce the alarm.

suricata -c /etc/suricata/suricata.yaml -i eth0

I tried recapturing using Wireshark (as root) and reopened the Splunk page, triggering the same rule. I saved that session to a .pcap file using "Wireshark/tcpdump/... - libpcap" format. On replay of that file, no alarm was triggered.

I'm including a copy of the config.log in case there's anything of interest in how this was compiled.

I'm now able to reproduce the alert on a replay with 2008100 as the only rule loaded using the enclosed trigger.pcap. It triggers the alarm twice, as shown below.

04/29/11-15:50:46.072001 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.31:8000 -> 167.235.7.71:39956 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
[root@c001-007470 suricata]# cat /etc/suricata/rules/snort.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)