I use docker image jasonish/suricata:7.0.6-profiling to test and develop some signatures
I run it something like this
docker run --rm -it \
jasonish/suricata:7.0.6-profiling \
-c /nsm/suricata.yaml \
-s /nsm/dev.rules \
-r /nsm/data.pcap \
--runmode autofp \
-k none \
-vvvv
Recently i try to create two signature and try to connect them with flowbits
alert tcp any any -> any 389 (msg:"Cleartext password in LDAP"; flow: established, to_server; content:"|60|"; content:"|02 01 03 04|"; distance:1; within:4; byte_jump:1,0,relative; content:"|80|"; distance:0; within:1; content:!"|00|"; distance:0; within:1; flowbits: set, ldap-simple; sid:1; rev:1;)
alert tcp any 389 -> any any (msg:"Cleartext LDAP auth"; flow: established, to_client; dsize:<200; content:"|61 84|"; content:"|0a 01 00|"; distance:4; within:3; flowbits: isset, ldap-simple; sid:2; rev:1;)
ldap-simple-auth.pcap (1.1 KB)
When I try this signatures against recorded pcap - only sid:1 is alerted -
with-flowbits.zip (8.2 KB)
But if i remove flowbits from second signatrure i get 2 alerts -
without-flowbits.zip (8.7 KB)
From alert-debug i can observe that SIG-1 is alerted on packet 11 that is last “to_server” packet in stream (expected is packet 4 - bindRequest) and SIG-2 is alerted on packet 5 (bindResponce) this is work as expected.
I think this can be the problem, but i cant figure out is this my missconfig or code issue
I found simillar issue on forum already, but without solution