Bug #7369
openxbits noalert does not appear to function, and syntax documentation is ambiguous.
Description
Details:The documentation says that xbits
has a noalert
option. However, when this option is used standalone (e.g. xbits:noalert;
) Suricata throws syntax errors stating noalert
is an invalid xbits
option. In cases where noalert
is added to existing xbits
options, Suricata versions will accept the syntax, but the noalert
directive will not function, and the rule will still alert.
Operating System: Ubuntu 18.04, Running Secureworks Dalton (https://github.com/secureworks/dalton), with Ubuntu-based docker containers for Suricata 8, 7.0.6, 7.0.0, 6.0.18, 6.0.0, 5.0.10, 5.0.0, and 4.1.0
I have the following rules I have written recently:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BugSleep xbits"; flow:established,to_server; xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; content:"|fd fd fd|"; offset:1; depth:3; fast_pattern; content:"|2c|"; within:255; sid:1; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BugSleep Command Response From C2"; flow:established,to_client; xbits:isset,ET.BugSleep.C2,track ip_src; content:"|03 03 03|"; offset:5; depth:3; fast_pattern; pcre:"/^.{4}[\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0e\x61\x62\x63\x64\x65\x66]\x03\x03\x03/"; classtype:trojan-activity; reference:url,blog.talosintelligence.com/writing-a-bugsleep-c2-server/; sid:2; rev:1;)
I've also attached a pcap I've created with flowsynth that triggers both of these rules. Recently, we had users state that the first sid, the one that sets the xbit ( xbits:set,ET.BugSleep.C2,track ip_dst,expire 60;
). Generates excessive alerts. Documentation states:
To not alert, use noalert;
source:
https://docs.suricata.io/en/latest/rules/xbits.html#xbits-keyword
https://docs.suricata.io/en/suricata-7.0.6/rules/xbits.html
https://docs.suricata.io/en/suricata-7.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-6.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-5.0.10/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-5.0.0/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-4.1.0/rules/xbits.html?highlight=xbits
Interestingly, the documentation for Suricata 6.0.18 differs slightly, and for this version of suricata (and only this version of suricata) the documentation is accurate, and " xbits:noalert;
" functions properly.
https://docs.suricata.io/en/suricata-6.0.18/rules/xbits.html: To not alert, use noalert as a standalone option to xbits just like flowbits.
Aside from Suricata 6.0.18, the documentation was ambiguous as to where the noalert
xbits
option can be placed, so I did some testing:
Suricata 8: noalert
can be added to an existing xbits statement, but cannot be set on its own (e.g. xbits:noalert;
). whenever I try to set it separately from other xbits options like you would with flowbits:noalert;
, Suricata gives me an invalid xbits option error. Here is the xbit being used:
xbits:set,ET.BugSleep.C2,track ip_dst,expire 60;
I've tried adding the noalert option to the end of the xbits like so:
xbits:set,ET.BugSleep.C2,track ip_dst,expire 60, noalert ;
The syntax is valid, but it doesn't actually stop the rule from alerting.
I've also tried setting the noalert option after setting the name of the flowbit:
xbits:set,ET.BugSleep.C2, noalert ,track ip_dst,expire 60;
and it gives an invalid flowbit option. Finally, I've added noalert after the track_ip statement:
xbits:set,ET.BugSleep.C2,track ip_dst, noalert ,expire 60;
and Suricata doesn't throw a syntax error, but it also doesn't actually stop the rule from alerting.
Suricata versions 4.10, 5.0.0, 5.0.10, 6.0.0, 7.0.0 and 7.0.6 also exhibit this behavior: setting xbits separately (e.g. xbits:noalert;
) results in an invalid xbit error, and setting it with other xbits options doesn't throw any syntax errors, but it doesn't actually stop the rule from alerting.
Suricata 6.0.18 demonstrates a strange change in behavior for the noalert xbits option, and follows the documentation properly. Setting the noalert
option with other xbits options results in an invalid xbits error, while setting it seperately (e.g. xbits:noalert;
) does not throw a syntax error, and does actually work correctly.
Work-Around: For users utilizing xbits
who need the noalert
functionality, flowbits:noalert;
may be used in the place of the xbits noalert option.
What would I like to see happen:
- For versions of Suricata no longer supported, can we please update the documentation to specify that the noalert
xbits
option does not function, and advise users to utilize flowbits:noalert;
instead?
- For all versions of Suricata currently supported by OISF, I would like the xbits noalert
option to function as explained in the documentation. Additionally, I would like to see the documentation updated to feature a clear example of the correct syntax. Failing that, please deprecate the xbits noalert
option, and update the documentation to instruct users to utilize flowbits:noalert;
instead.
Files
Updated by Victor Julien about 1 month ago
In general, flowbits:noalert; is identical to just noalert;
, so stand-alone. If xbits:noalert would work, it would do the exact same thing. So I would suggest only using noalert;
, not the old flowbits:noalert or any other. Code wise it's all the same anyway. It's just setting the noalert flag in the sig.
Wrt updating docs for old versions: that won't happen as we're not updating these versions, and updating the docs requires updating those code bases. Ppl should just upgrade to a supported version.
Will have a look at getting the xbits thing to work as advertized.
Updated by Tony Robinson about 1 month ago ยท Edited
Victor Julien wrote in #note-1:
In general, flowbits:noalert; is identical to just
noalert;
, so stand-alone. If xbits:noalert would work, it would do the exact same thing. So I would suggest only usingnoalert;
, not the old flowbits:noalert or any other. Code wise it's all the same anyway. It's just setting the noalert flag in the sig.Wrt updating docs for old versions: that won't happen as we're not updating these versions, and updating the docs requires updating those code bases. Ppl should just upgrade to a supported version.
Will have a look at getting the xbits thing to work as advertized.
Hey Victor. Thank you for your time. I failed to realize that noalert;
was a standalone option. For the time being, this will work. Thank you for the response.