Suricata

Details:The documentation says that xbits has a noalert option. However, when this option is used standalone (e.g. xbits:noalert; ) Suricata throws syntax errors stating noalert is an invalid xbits option. In cases where noalert is added to existing xbits options, Suricata versions will accept the syntax, but the noalert directive will not function, and the rule will still alert.

Operating System: Ubuntu 18.04, Running Secureworks Dalton (https://github.com/secureworks/dalton), with Ubuntu-based docker containers for Suricata 8, 7.0.6, 7.0.0, 6.0.18, 6.0.0, 5.0.10, 5.0.0, and 4.1.0

I have the following rules I have written recently:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BugSleep xbits"; flow:established,to_server; xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; content:"|fd fd fd|"; offset:1; depth:3; fast_pattern; content:"|2c|"; within:255; sid:1; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BugSleep Command Response From C2"; flow:established,to_client; xbits:isset,ET.BugSleep.C2,track ip_src; content:"|03 03 03|"; offset:5; depth:3; fast_pattern; pcre:"/^.{4}[\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0e\x61\x62\x63\x64\x65\x66]\x03\x03\x03/"; classtype:trojan-activity; reference:url,blog.talosintelligence.com/writing-a-bugsleep-c2-server/; sid:2; rev:1;)

I've also attached a pcap I've created with flowsynth that triggers both of these rules. Recently, we had users state that the first sid, the one that sets the xbit ( xbits:set,ET.BugSleep.C2,track ip_dst,expire 60; ). Generates excessive alerts. Documentation states:

To not alert, use noalert;

source:
https://docs.suricata.io/en/latest/rules/xbits.html#xbits-keyword
https://docs.suricata.io/en/suricata-7.0.6/rules/xbits.html
https://docs.suricata.io/en/suricata-7.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-6.0.0/rules/xbits.html
https://docs.suricata.io/en/suricata-5.0.10/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-5.0.0/rules/xbits.html?highlight=xbits
https://docs.suricata.io/en/suricata-4.1.0/rules/xbits.html?highlight=xbits

Interestingly, the documentation for Suricata 6.0.18 differs slightly, and for this version of suricata (and only this version of suricata) the documentation is accurate, and " xbits:noalert; " functions properly.

https://docs.suricata.io/en/suricata-6.0.18/rules/xbits.html: To not alert, use noalert as a standalone option to xbits just like flowbits.

Aside from Suricata 6.0.18, the documentation was ambiguous as to where the noalert xbits option can be placed, so I did some testing:

Suricata 8: noalert can be added to an existing xbits statement, but cannot be set on its own (e.g. xbits:noalert; ). whenever I try to set it separately from other xbits options like you would with flowbits:noalert; , Suricata gives me an invalid xbits option error. Here is the xbit being used:

xbits:set,ET.BugSleep.C2,track ip_dst,expire 60;

I've tried adding the noalert option to the end of the xbits like so:

xbits:set,ET.BugSleep.C2,track ip_dst,expire 60, noalert ;

The syntax is valid, but it doesn't actually stop the rule from alerting.

I've also tried setting the noalert option after setting the name of the flowbit:

xbits:set,ET.BugSleep.C2, noalert ,track ip_dst,expire 60;

and it gives an invalid flowbit option. Finally, I've added noalert after the track_ip statement:

xbits:set,ET.BugSleep.C2,track ip_dst, noalert ,expire 60;

and Suricata doesn't throw a syntax error, but it also doesn't actually stop the rule from alerting.

Suricata versions 4.10, 5.0.0, 5.0.10, 6.0.0, 7.0.0 and 7.0.6 also exhibit this behavior: setting xbits separately (e.g. xbits:noalert; ) results in an invalid xbit error, and setting it with other xbits options doesn't throw any syntax errors, but it doesn't actually stop the rule from alerting.

Suricata 6.0.18 demonstrates a strange change in behavior for the noalert xbits option, and follows the documentation properly. Setting the noalert option with other xbits options results in an invalid xbits error, while setting it seperately (e.g. xbits:noalert; ) does not throw a syntax error, and does actually work correctly.

Work-Around: For users utilizing xbits who need the noalert functionality, flowbits:noalert; may be used in the place of the xbits noalert option.

What would I like to see happen:
- For versions of Suricata no longer supported, can we please update the documentation to specify that the noalert xbits option does not function, and advise users to utilize flowbits:noalert; instead?

- For all versions of Suricata currently supported by OISF, I would like the xbits noalert option to function as explained in the documentation. Additionally, I would like to see the documentation updated to feature a clear example of the correct syntax. Failing that, please deprecate the xbits noalert option, and update the documentation to instruct users to utilize flowbits:noalert; instead.