Bug #3389
closedEXTERNAL_NET no longer working in 5.0 as expected
Description
I've been testing Suricata 5.0 for inclusion in the next release of RockNSM, and one of our devs ran across a possible regression in how EXTERNAL_NET is handled. Our issue is being tracked here: https://github.com/rocknsm/rock/issues/522. The first should alert on any IP traffic that flows from HOME to EXTERNAL and does in Suricata 4.x. With 5.x, that rule does not alert, but the protocol specific rules will alert (in this case HTTP).
So for the two test rules below, I want to alert on all IP traffic from HOME_NET to EXTERNAL_NET
with the default definitions (below). For a test file, I used the File Analysis Framework exercise PCAP from the Zeek project (https://www.bro.org/static/exchange-2013/faf-exercise.pcap). There are several sessions in here that should match for the IP rule and/or the HTTP rule.
Vars definitions:
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
Test rules:
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Test suricata rule from home to any external IP"; sid:100; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test suricata rule from home to any external IP for HTTP"; sid:101; rev:1;)
In 5.x, only the http
alert will trigger on this PCAP. Commenting out that signature will fail to generate any alert. A work around is to change the definition of EXTERNAL_NET
to the following:
vars:
address-groups:
EXTERNAL_NET: "[any, !$HOME_NET]"
Additionally, changing the rule to negate HOME_NET
directly works.
alert ip $HOME_NET any -> !$HOME_NET any (msg:"Test suricata rule from home to any external IP"; sid:100; rev:1;)
Finally, I ran suricata
with the following options (sudo was to read the system config file).
sudo suricata -r ../faf-exercise.pcap -l ./ -c /etc/suricata/suricata.yaml -S ../test.rule --runmode single
Updated by Victor Julien about 5 years ago
Looks like this was broken in commit 92f08d85aac203b05f72aa704fcc6b51e23f362b. Before that the rule with sid 100 would have been excluded for the IP-only engine. After that it would only consider a signature as using negation if the negation was directly in the rule, not when it is 'hidden' inside a variable.
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 5.0.1
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed