Project

General

Profile

Actions

Bug #7369

open

xbits noalert does not appear to function, and syntax documentation is ambiguous.

Added by Tony Robinson about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Details:The documentation says that xbits has a noalert option. However, when this option is used standalone (e.g. xbits:noalert; ) Suricata throws syntax errors stating noalert is an invalid xbits option. In cases where noalert is added to existing xbits options, Suricata versions will accept the syntax, but the noalert directive will not function, and the rule will still alert.

Operating System: Ubuntu 18.04, Running Secureworks Dalton (https://github.com/secureworks/dalton), with Ubuntu-based docker containers for Suricata 8, 7.0.6, 7.0.0, 6.0.18, 6.0.0, 5.0.10, 5.0.0, and 4.1.0

I have the following rules I have written recently:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BugSleep xbits"; flow:established,to_server; xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; content:"|fd fd fd|"; offset:1; depth:3; fast_pattern; content:"|2c|"; within:255; sid:1; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BugSleep Command Response From C2"; flow:established,to_client; xbits:isset,ET.BugSleep.C2,track ip_src; content:"|03 03 03|"; offset:5; depth:3; fast_pattern; pcre:"/^.{4}[\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0e\x61\x62\x63\x64\x65\x66]\x03\x03\x03/"; classtype:trojan-activity; reference:url,blog.talosintelligence.com/writing-a-bugsleep-c2-server/; sid:2; rev:1;)

I've also attached a pcap I've created with flowsynth that triggers both of these rules. Recently, we had users state that the first sid, the one that sets the xbit ( xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; ). Generates excessive alerts. Documentation states:

To not alert, use noalert;

source:
https://docs.suricata.io/en/latest/rules/xbits.html#xbits-keyword
https://docs.suricata.io/en/suricata-7.0.6/rules/xbits.html
https://docs.suricata.io/en/suricata-7.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-6.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-5.0.10/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-5.0.0/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-4.1.0/rules/xbits.html?highlight=xbits

Interestingly, the documentation for Suricata 6.0.18 differs slightly, and for this version of suricata (and only this version of suricata) the documentation is accurate, and " xbits:noalert; " functions properly.

https://docs.suricata.io/en/suricata-6.0.18/rules/xbits.html: To not alert, use noalert as a standalone option to xbits just like flowbits.

Aside from Suricata 6.0.18, the documentation was ambiguous as to where the noalert xbits option can be placed, so I did some testing:

Suricata 8: noalert can be added to an existing xbits statement, but cannot be set on its own (e.g. xbits:noalert; ). whenever I try to set it separately from other xbits options like you would with flowbits:noalert; , Suricata gives me an invalid xbits option error. Here is the xbit being used:

xbits:set,ET.BugSleep.C2,track ip_dst,expire 60;

I've tried adding the noalert option to the end of the xbits like so:

xbits:set,ET.BugSleep.C2,track ip_dst,expire 60, noalert ;

The syntax is valid, but it doesn't actually stop the rule from alerting.

I've also tried setting the noalert option after setting the name of the flowbit:

xbits:set,ET.BugSleep.C2, noalert ,track ip_dst,expire 60;

and it gives an invalid flowbit option. Finally, I've added noalert after the track_ip statement:

xbits:set,ET.BugSleep.C2,track ip_dst, noalert ,expire 60;

and Suricata doesn't throw a syntax error, but it also doesn't actually stop the rule from alerting.

Suricata versions 4.10, 5.0.0, 5.0.10, 6.0.0, 7.0.0 and 7.0.6 also exhibit this behavior: setting xbits separately (e.g. xbits:noalert; ) results in an invalid xbit error, and setting it with other xbits options doesn't throw any syntax errors, but it doesn't actually stop the rule from alerting.

Suricata 6.0.18 demonstrates a strange change in behavior for the noalert xbits option, and follows the documentation properly. Setting the noalert option with other xbits options results in an invalid xbits error, while setting it seperately (e.g. xbits:noalert; ) does not throw a syntax error, and does actually work correctly.

Work-Around: For users utilizing xbits who need the noalert functionality, flowbits:noalert; may be used in the place of the xbits noalert option.

What would I like to see happen:
- For versions of Suricata no longer supported, can we please update the documentation to specify that the noalert xbits option does not function, and advise users to utilize flowbits:noalert; instead?

- For all versions of Suricata currently supported by OISF, I would like the xbits noalert option to function as explained in the documentation. Additionally, I would like to see the documentation updated to feature a clear example of the correct syntax. Failing that, please deprecate the xbits noalert option, and update the documentation to instruct users to utilize flowbits:noalert; instead.


Files

61c1abde738380f.pcap (708 Bytes) 61c1abde738380f.pcap pcap to use with flowbits rule for testing, if desired. Tony Robinson, 11/04/2024 05:48 PM
Actions #1

Updated by Victor Julien about 1 month ago

In general, flowbits:noalert; is identical to just noalert;, so stand-alone. If xbits:noalert would work, it would do the exact same thing. So I would suggest only using noalert;, not the old flowbits:noalert or any other. Code wise it's all the same anyway. It's just setting the noalert flag in the sig.

Wrt updating docs for old versions: that won't happen as we're not updating these versions, and updating the docs requires updating those code bases. Ppl should just upgrade to a supported version.

Will have a look at getting the xbits thing to work as advertized.

Actions #2

Updated by Tony Robinson about 1 month ago ยท Edited

Victor Julien wrote in #note-1:

In general, flowbits:noalert; is identical to just noalert;, so stand-alone. If xbits:noalert would work, it would do the exact same thing. So I would suggest only using noalert;, not the old flowbits:noalert or any other. Code wise it's all the same anyway. It's just setting the noalert flag in the sig.

Wrt updating docs for old versions: that won't happen as we're not updating these versions, and updating the docs requires updating those code bases. Ppl should just upgrade to a supported version.

Will have a look at getting the xbits thing to work as advertized.

Hey Victor. Thank you for your time. I failed to realize that noalert; was a standalone option. For the time being, this will work. Thank you for the response.

Actions

Also available in: Atom PDF