Project

General

Profile

Actions
Copy link

Bug #6218

open

xbits inconsistent behavior when running a pcap file.

Added by Paz Fichman 10 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.10
Effort:
Difficulty:
Label:

Description

Hi,
I have a signature that uses the xbits keyword. Running a pcap file that should raise an alert gives inconsistent results (sometimes the alert is raised, sometimes not).
The rules are:
alert http any 80 -> any any (msg:"rule1"; flow: to_client, established; http.response_body; content:"activationToken"; xbits:set,xbits_flag,track ip_pair,expire 2; noalert; sid:1;)
alert http any any -> any 80 (msg:"rule2"; flow: to_server, established; http.uri; content:"/SAAS/API/1.0/REST/oauth2/activate"; xbits:isset,xbits_flag,track ip_pair; sid:2;)

I am attaching the pcap file. The first rule should match packet #6 and the second rule should match packet #12. The inconsistent alert is generated by the rule with sid 2.
I removed the expiry option from the xbits in the first rule and still had inconsistent results.

Thanks in advance,
Paz.

Files

xbits_pcap.pcapng (4.58 KB) xbits_pcap.pcapng Paz Fichman, 07/17/2023 08:52 AM
Actions
Copy link
 #1

Updated by Paz Fichman 10 months ago

  • Affected Versions 6.0.9 added
Actions
Copy link
 #2

Updated by Paz Fichman 10 months ago

  • Affected Versions 6.0.10 added
  • Affected Versions deleted (6.0.9)
Actions
Copy link
 #3

Updated by Brandon Murphy about 2 months ago

FWIW, I was able to replicate this in in 6.0.16, 7.0.3, and 8.0.0-dev (ece2029b0 2024-03-13)

took a few runs, but did FNs after less than 6-8 runs.

Actions
Copy link

Also available in: Atom PDF