Bug #6218
openxbits inconsistent behavior when running a pcap file.
Description
Hi,
I have a signature that uses the xbits keyword. Running a pcap file that should raise an alert gives inconsistent results (sometimes the alert is raised, sometimes not).
The rules are:
alert http any 80 -> any any (msg:"rule1"; flow: to_client, established; http.response_body; content:"activationToken"; xbits:set,xbits_flag,track ip_pair,expire 2; noalert; sid:1;)
alert http any any -> any 80 (msg:"rule2"; flow: to_server, established; http.uri; content:"/SAAS/API/1.0/REST/oauth2/activate"; xbits:isset,xbits_flag,track ip_pair; sid:2;)
I am attaching the pcap file. The first rule should match packet #6 and the second rule should match packet #12. The inconsistent alert is generated by the rule with sid 2.
I removed the expiry option from the xbits in the first rule and still had inconsistent results.
Thanks in advance,
Paz.
Files
Updated by Paz Fichman over 1 year ago
- Affected Versions 6.0.10 added
- Affected Versions deleted (
6.0.9)
Updated by Brandon Murphy 9 months ago
FWIW, I was able to replicate this in in 6.0.16, 7.0.3, and 8.0.0-dev (ece2029b0 2024-03-13)
took a few runs, but did FNs after less than 6-8 runs.