Project

General

Profile

Actions

Bug #3389

closed

EXTERNAL_NET no longer working in 5.0 as expected

Added by Derek Ditch over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I've been testing Suricata 5.0 for inclusion in the next release of RockNSM, and one of our devs ran across a possible regression in how EXTERNAL_NET is handled. Our issue is being tracked here: https://github.com/rocknsm/rock/issues/522. The first should alert on any IP traffic that flows from HOME to EXTERNAL and does in Suricata 4.x. With 5.x, that rule does not alert, but the protocol specific rules will alert (in this case HTTP).

So for the two test rules below, I want to alert on all IP traffic from HOME_NET to EXTERNAL_NET with the default definitions (below). For a test file, I used the File Analysis Framework exercise PCAP from the Zeek project (https://www.bro.org/static/exchange-2013/faf-exercise.pcap). There are several sessions in here that should match for the IP rule and/or the HTTP rule.

Vars definitions:

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 
    EXTERNAL_NET: "!$HOME_NET" 

Test rules:

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Test suricata rule from home to any external IP"; sid:100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test suricata rule from home to any external IP for HTTP"; sid:101; rev:1;)

In 5.x, only the http alert will trigger on this PCAP. Commenting out that signature will fail to generate any alert. A work around is to change the definition of EXTERNAL_NET to the following:

vars:
  address-groups:
    EXTERNAL_NET: "[any, !$HOME_NET]" 

Additionally, changing the rule to negate HOME_NET directly works.

alert ip $HOME_NET any -> !$HOME_NET any (msg:"Test suricata rule from home to any external IP"; sid:100; rev:1;)

Finally, I ran suricata with the following options (sudo was to read the system config file).

sudo suricata -r ../faf-exercise.pcap -l ./ -c /etc/suricata/suricata.yaml -S ../test.rule --runmode single
Actions #1

Updated by Victor Julien over 4 years ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien over 4 years ago

Looks like this was broken in commit 92f08d85aac203b05f72aa704fcc6b51e23f362b. Before that the rule with sid 100 would have been excluded for the IP-only engine. After that it would only consider a signature as using negation if the negation was directly in the rule, not when it is 'hidden' inside a variable.

Actions #3

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 5.0.1
Actions

Also available in: Atom PDF