Bug #7845: Applayer and flowbits issues - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7845

open

Applayer and flowbits issues

Added by Artem Kartunchikov 4 days ago. Updated 4 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

8.0.0

Effort:

Difficulty:

Label:

Description

First describe issue here

https://forum.suricata.io/t/applayer-and-flowbits-issues/5912

With rules like this i cant get alert


alert dcerpc any any -> any any (msg:"dcerpc uuid [lsarpc]"; flow:established, to_server; dcerpc.iface:12345778-1234-abcd-ef00-0123456789ab; flowbits:set,lsarpc; flowbits:noalert; sid:1; rev:1;)

alert smb any any -> any any (msg:"smb uuid [lsarpc]"; flow:established, to_server; content:"SMB"; content:"|05 00 0b|"; distance:0; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; flowbits:set,lsarpc; flowbits:noalert; sid:2; rev:1;)

alert smb any any -> any any (msg:"DPAPI Backup Key Extraction"; flow:established, to_server; content:"B|00|C|00|K|00|U|00|P|00|K|00|E|00|Y"; flowbits:isset,lsarpc; sid:3; rev:1;)

Both sig 1 and 2 are triggered, so flowbit lsarpc is defiantly seted

Sig 3 triggers without flowbits

I think issue may be in how flowbits work with different app layers

Files

dpapi-detect.pcap (15.4 KB) dpapi-detect.pcap

Artem Kartunchikov, 08/11/2025 08:06 AM