Project

General

Profile

Bug #5633

Updated by Victor Julien about 2 years ago

I tested upgrading to suricata 6.0.8 from 6.0.6 and was suddenly being spammed with alerts on custom pass rules that should not be generating alerts at all. These are pass rules old/new that have been in use since Suricata 3.x and I have never witnessed suricata ever alerting from a pass rule signature. One of the strangest things I have ever seen. 

 I tried many times to reproduce this in lab with pcap samples of traffic from production that was generating the alerts, but had no success. 

 I finally realized that all the pass rule alerts were within a GRE or IPv6-Frag tunnel as reported by the tunnel.proto field of the json alerts. 

 Once I collected a production pcap sample on the tunnel IPs instead of direct src/dest I was immediately able to reproduce the issue in lab. Apparently we have some of the same types of traffic inside a tunnel as well as not. 

 I personally use a custom compiled Suricata 6.0.8 on CentOS 7, but I have a coworker that uses the CentOS 7 rpm package as well. His sensors are on completely different networks with completely different pass rules and he saw the exact same flood of pass rule alerts being generated when he tested. Every one of his pass rule alerts were also for traffic inside a tunnel. Neither of us changed any config at all, and only changed the installed Suricata version. 

 I redacted quite a lot, but this is one the sample alerts that was generated by suricata 6.0.8 for a pass rule for traffic in a tunnel. The actual IPs represented inside the tunnel should have matched with pass rule IP variables and been ignored. The actual packet was a generic syslog message. 
 <pre><code class="javascript"> 
 

 { 
   "alert": { 
     "action": "allowed", 
     "gid": 1, 
     "signature_id": 60000139, 
     "rev": 2, 
     "signature": "CUSTOM---", 
     "category": "Misc activity", 
     "severity": 3, 
     "rule": "pass udp $HOME_NET any -> $INTERNAL 514 (msg:\"CUSTOM---\"; classtype:misc-activity; sid:60000139; rev:2;)" 
   }, 
   "app_proto": "failed", 
   "community_id": "1:---", 
   "dest_ip": "172.0.0.0", 
   "dest_port": 514, 
   "ether": {}, 
   "event_type": "alert", 
   "flow": { 
     "pkts_toserver": 1, 
     "pkts_toclient": 0, 
     "bytes_toserver": 178, 
     "bytes_toclient": 0, 
     "start": "2022-11-02T22:20:14.454443+0000" 
   }, 
   "flow_id": 123---, 
   "in_iface": "mon4", 
   "packet": "---", 
   "packet_info": { 
     "linktype": 12 
   }, 
   "payload": "---", 
   "payload_printable": "---", 
   "proto": "UDP", 
   "src_ip": "172.0.0.0", 
   "src_port": 514, 
   "stream": 0, 
   "timestamp": "2022-11-02T22:20:14.454443+0000", 
   "tunnel": { 
     "src_ip": "156.0.0.0", 
     "src_port": 0, 
     "dest_ip": "156.0.0.0", 
     "dest_port": 0, 
     "proto": "GRE", 
     "depth": 1 
   } 
 } 
 </code></pre> 

 <pre> 
 This is Suricata version 6.0.8 RELEASE 
 Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON PROFILING TLS TLS_GNU MAGIC RUST  
 SIMD support: SSE_4_2 SSE_4_1 SSE_3  
 Atomic intrinsics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901 
 compiled with _FORTIFY_SOURCE=0 
 L1 cache line size (CLS)=64 
 thread local storage method: __thread 
 compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   eBPF support:                              no 
   XDP support:                               no 
   PF_RING support:                           no 
   NFQueue support:                           yes 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no  
   DAG enabled:                               no 
   Napatech enabled:                          no 
   WinDivert enabled:                         no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   Libmagic support:                          yes 
   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   hiredis support:                           no 
   hiredis async with libevent:               no 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               yes 
   libluajit:                                 no 
   GeoIP2 support:                            yes 
   Non-bundled htp:                           no 
   Hyperscan support:                         yes 
   Libnet support:                            yes 
   liblz4 support:                            yes 
   HTTP2 decompression:                       no 

   Rust support:                              yes 
   Rust strict mode:                          no 
   Rust compiler path:                        /usr/local/bin/rustc 
   Rust compiler version:                     rustc 1.44.1 (c7087fe00 2020-06-17) 
   Cargo path:                                /usr/local/bin/cargo 
   Cargo version:                             cargo 1.44.1 (88ba85757 2020-06-11) 
   Cargo vendor:                              yes 

   Python support:                            yes 
   Python path:                               /usr/bin/python2.7 
   Install suricatactl:                       yes 
   Install suricatasc:                        yes 
   Install suricata-update:                   yes 

   Profiling enabled:                         yes 
   Profiling locks enabled:                   no 

   Plugin support (experimental):             yes 

 Development settings: 
   Coccinelle / spatch:                       no 
   Unit tests enabled:                        no 
   Debug output enabled:                      no 
   Debug validation enabled:                  no 

 Generic build parameters: 
   Installation prefix:                       /usr/local 
   Configuration directory:                   /etc/suricata/ 
   Log directory:                             /var/log/suricata/ 

   --prefix                                   /usr/local 
   --sysconfdir                               /etc 
   --localstatedir                            /var 
   --datarootdir                              /usr/local/share 

   Host:                                      x86_64-pc-linux-gnu 
   Compiler:                                  gcc (exec name) / g++ (real) 
   GCC Protect enabled:                       no 
   GCC march native enabled:                  yes 
   GCC Profile enabled:                       no 
   Position Independent Executable enabled: no 
   CFLAGS                                     -g -O2 -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist 
   PCAP_CFLAGS                                 -I/usr/local/include 
   SECCFLAGS         
 </pre>         

Back