Project

General

Profile

Actions
Copy link

Bug #5064

closed

frames: duplicate alerts when no flow direction provided

Added by Jason Ish over 3 years ago. Updated 17 days ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Seen with the PCAP from https://github.com/OISF/suricata-verify/pull/711.

A rule like:

alert sip any any -> any any (flow:to_client; frame:pdu; content:"REGISTER sip"; sid:1;)

will alert once as expected as the content REGISTER sip is only seen once in the pcap in the to_client direction.

However the rule:

alert sip any any -> any any (frame:pdu; content:"REGISTER sip"; sid:1;)

will create 2 identical alerts, but should probably only create one alert.

This does not appear to be limited to SIP, as I'm seeing it in my work-in-progress DNS frame support.

Actions
Copy link
 #1

Updated by Jason Ish over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Philippe Antoine 17 days ago

No longer an issue in 8 with

diff --git a/tests/sip-body-frames/sip-frames.rules b/tests/sip-body-frames/sip-frames.rules
index 5a77abd6..d3d723de 100644
--- a/tests/sip-body-frames/sip-frames.rules
+++ b/tests/sip-body-frames/sip-frames.rules
@@ -15,3 +15,6 @@ alert sip any any -> any any (flow:to_client; frame:response.headers; content:"V
 alert sip any any -> any any (flow:to_server; frame:request.body; content:"v=0"; startswith; sid:51;)

 alert sip any any -> any any (flow:to_server; frame:request.body; strip_whitespace; content:"v=0o=Clarent1203"; startswith; sid:61;)
+
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"REGISTER sip"; sid:71;)
+alert sip any any -> any any (frame:pdu; content:"REGISTER sip"; sid:72;)
\ No newline at end of file
diff --git a/tests/sip-body-frames/test.yaml b/tests/sip-body-frames/test.yaml
index fd08db6a..5161f0a0 100644
--- a/tests/sip-body-frames/test.yaml
+++ b/tests/sip-body-frames/test.yaml
@@ -11,6 +11,16 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 2
+ - filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 71
+ - filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 72
  - filter:
     count: 3
     match:
Actions
Copy link
 #3

Updated by Philippe Antoine 17 days ago

  • Status changed from New to Closed

Also fixed in 7.0.11 do you see otherwise Jason ?

Actions
Copy link

Also available in: Atom PDF