Project

General

Profile

Actions

Bug #5437

closed

'unseen' http midstream packets with TCP FIN flag set

Added by Juliana Fajardini Reichow over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This was raised by a discussion on our Discord server.

Two users reached out because Suri seemed to be randomly omitting payloads from some of the alerts.

Apparently, this is happening because some HTTP midstream packets are not seen by Suri, even if we have stream.midstream=true.
Wireshark is able to properly tag such traffic as HTTP.

This also leads to Suri not logging associated payload to some alert events in the eve-log, as it doesn't recognize the stream as HTTP.

The rule used by them to generate the alerts was:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
 known malicious user-agent string - Mirai"; flow:to_server,established;
 content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header;
 metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
 policy security-ips drop, service HTTP;
reference:url,www.virustotal.com/en/file/
3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/;
 classtype:trojan-activity; sid:58992; rev:1;)


Files

anonymized-NoPayload.pcap (768 Bytes) anonymized-NoPayload.pcap Juliana Fajardini Reichow, 07/06/2022 01:27 PM
anonymized-Payload.pcap (8.33 KB) anonymized-Payload.pcap Juliana Fajardini Reichow, 07/06/2022 01:27 PM
Actions #1

Updated by Juliana Fajardini Reichow over 2 years ago

  • Description updated (diff)
Actions #3

Updated by Philippe Antoine about 2 years ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version deleted (TBD)
Actions #4

Updated by Philippe Antoine about 2 years ago

  • Subject changed from 'unseen' http midstream packets to 'unseen' http midstream packets with TCP FIN flag set
Actions #5

Updated by Philippe Antoine almost 2 years ago

  • Target version set to 7.0.0-rc1
Actions #6

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Actions #7

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF