Bug #5633
Updated by Victor Julien over 1 year ago
I tested upgrading to suricata 6.0.8 from 6.0.6 and was suddenly being spammed with alerts on custom pass rules that should not be generating alerts at all. These are pass rules old/new that have been in use since Suricata 3.x and I have never witnessed suricata ever alerting from a pass rule signature. One of the strangest things I have ever seen. I tried many times to reproduce this in lab with pcap samples of traffic from production that was generating the alerts, but had no success. I finally realized that all the pass rule alerts were within a GRE or IPv6-Frag tunnel as reported by the tunnel.proto field of the json alerts. Once I collected a production pcap sample on the tunnel IPs instead of direct src/dest I was immediately able to reproduce the issue in lab. Apparently we have some of the same types of traffic inside a tunnel as well as not. I personally use a custom compiled Suricata 6.0.8 on CentOS 7, but I have a coworker that uses the CentOS 7 rpm package as well. His sensors are on completely different networks with completely different pass rules and he saw the exact same flood of pass rule alerts being generated when he tested. Every one of his pass rule alerts were also for traffic inside a tunnel. Neither of us changed any config at all, and only changed the installed Suricata version. I redacted quite a lot, but this is one the sample alerts that was generated by suricata 6.0.8 for a pass rule for traffic in a tunnel. The actual IPs represented inside the tunnel should have matched with pass rule IP variables and been ignored. The actual packet was a generic syslog message. <pre><code class="javascript"> { "alert": { "action": "allowed", "gid": 1, "signature_id": 60000139, "rev": 2, "signature": "CUSTOM---", "category": "Misc activity", "severity": 3, "rule": "pass udp $HOME_NET any -> $INTERNAL 514 (msg:\"CUSTOM---\"; classtype:misc-activity; sid:60000139; rev:2;)" }, "app_proto": "failed", "community_id": "1:---", "dest_ip": "172.0.0.0", "dest_port": 514, "ether": {}, "event_type": "alert", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 178, "bytes_toclient": 0, "start": "2022-11-02T22:20:14.454443+0000" }, "flow_id": 123---, "in_iface": "mon4", "packet": "---", "packet_info": { "linktype": 12 }, "payload": "---", "payload_printable": "---", "proto": "UDP", "src_ip": "172.0.0.0", "src_port": 514, "stream": 0, "timestamp": "2022-11-02T22:20:14.454443+0000", "tunnel": { "src_ip": "156.0.0.0", "src_port": 0, "dest_ip": "156.0.0.0", "dest_port": 0, "proto": "GRE", "depth": 1 } } </code></pre> <pre> This is Suricata version 6.0.8 RELEASE Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON PROFILING TLS TLS_GNU MAGIC RUST SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41 Suricata Configuration: AF_PACKET support: yes eBPF support: no XDP support: no PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: no hiredis async with libevent: no Prelude support: no PCRE jit: yes LUA support: yes libluajit: no GeoIP2 support: yes Non-bundled htp: no Hyperscan support: yes Libnet support: yes liblz4 support: yes HTTP2 decompression: no Rust support: yes Rust strict mode: no Rust compiler path: /usr/local/bin/rustc Rust compiler version: rustc 1.44.1 (c7087fe00 2020-06-17) Cargo path: /usr/local/bin/cargo Cargo version: cargo 1.44.1 (88ba85757 2020-06-11) Cargo vendor: yes Python support: yes Python path: /usr/bin/python2.7 Install suricatactl: yes Install suricatasc: yes Install suricata-update: yes Profiling enabled: yes Profiling locks enabled: no Plugin support (experimental): yes Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /usr/local Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/ --prefix /usr/local --sysconfdir /etc --localstatedir /var --datarootdir /usr/local/share Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist PCAP_CFLAGS -I/usr/local/include SECCFLAGS </pre>