Project

General

Profile

Actions
Copy link

Bug #6197

open

stream: additional alerts being seen once sigs are added

Added by Andreas Herz over 2 years ago. Updated over 2 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Affected Versions:
6.0.13, 7.0.0-rc2
Effort:
Difficulty:
Label:

Description

If we add a unrelated signature we can cause the `bytemath` tests to trigger more alerts.

For example we get this output:

===> detect-bytemath-01: Sub test #1: FAIL : expected 1 matches; got 2 for filter {'count': 1, 'match': {'event_type': 'alert', 'alert.signature_id': 1}}

If we changed the `test.rules` in this suricata-verify test to include one more rule:

alert ssh any any -> any any (msg:"FOOBAR"; pcre:"/rabbit/"; classtype:unknown; sid:3130009; rev:2;)
alert tcp any any -> any any (msg:"Byte-math test"; \
    ipv4.hdr; byte_math:bytes 1, offset 1, oper <<, rvalue 2, result result_val; \
    tcp.hdr; byte_test: 1, =, 0x88, 1, relative; \
    sid:1;)

The ssh one is added and not related, but the addition has the impact to trigger an additional alert:

{
  "timestamp": "2020-05-06T11:27:47.118173+0000",
  "flow_id": 1070501709304770,
  "pcap_cnt": 1,
  "event_type": "alert",
  "src_ip": "192.0.78.190",
  "src_port": 136,
  "dest_ip": "192.0.78.25",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Byte-math test",
    "category": "",
    "severity": 3
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 40,
    "bytes_toclient": 0,
    "start": "2020-05-06T11:27:47.118173+0000",
    "src_ip": "192.0.78.190",
    "dest_ip": "192.0.78.25",
    "src_port": 136,
    "dest_port": 80
  }
}
{
  "timestamp": "2020-05-06T11:27:47.118173+0000",
  "flow_id": 1070501709304770,
  "event_type": "alert",
  "src_ip": "192.0.78.190",
  "src_port": 136,
  "dest_ip": "192.0.78.25",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "stream (flow timeout)",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 0,
    "signature": "Byte-math test",
    "category": "",
    "severity": 3
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 40,
    "bytes_toclient": 0,
    "start": "2020-05-06T11:27:47.118173+0000",
    "src_ip": "192.0.78.190",
    "dest_ip": "192.0.78.25",
    "src_port": 136,
    "dest_port": 80
  }
}

There is this minor diff:

  "pcap_cnt": 1,
  "pkt_src": "wire/pcap",

vs
  "pkt_src": "stream (flow timeout)",

The second alert is a new one, once added with the alert.
A git blame showed that this commit https://github.com/OISF/suricata/commit/1bb6f44ff01363fa29488f1ae83b9368e33c2770 is the change that made this strange happening occur.

Actions
Copy link

Also available in: Atom PDF