Alerts are not in order

s1ncr · February 25, 2025, 12:54pm

I use docker image jasonish/suricata:7.0.6-profiling to test and develop some signatures

I run it something like this

docker run --rm -it \
    jasonish/suricata:7.0.6-profiling \
    -c /nsm/suricata.yaml \
    -s /nsm/dev.rules \
    -r /nsm/data.pcap \
    --runmode autofp \
    -k none \
    -vvvv

Recently i try to create two signature and try to connect them with flowbits

alert tcp any any -> any 389 (msg:"Cleartext password in LDAP"; flow: established, to_server; content:"|60|"; content:"|02 01 03 04|"; distance:1; within:4; byte_jump:1,0,relative; content:"|80|"; distance:0; within:1; content:!"|00|"; distance:0; within:1; flowbits: set, ldap-simple; sid:1; rev:1;)

alert tcp any 389 -> any any (msg:"Cleartext LDAP auth"; flow: established, to_client; dsize:<200; content:"|61 84|"; content:"|0a 01 00|"; distance:4; within:3; flowbits: isset, ldap-simple; sid:2; rev:1;)

ldap-simple-auth.pcap (1.1 KB)

When I try this signatures against recorded pcap - only sid:1 is alerted -
with-flowbits.zip (8.2 KB)

But if i remove flowbits from second signatrure i get 2 alerts -
without-flowbits.zip (8.7 KB)

From alert-debug i can observe that SIG-1 is alerted on packet 11 that is last “to_server” packet in stream (expected is packet 4 - bindRequest) and SIG-2 is alerted on packet 5 (bindResponce) this is work as expected.

I think this can be the problem, but i cant figure out is this my missconfig or code issue

I found simillar issue on forum already, but without solution

s1ncr · February 26, 2025, 9:51am

I manage to make this work by adding no_stream to first signature, i guess its prevent engine from trying to analyze past packet that i need, but I am still not sure is this a bug or a feature

alert tcp any any -> any 389 (msg:"Cleartext password in LDAP"; flow: established, to_server, no_stream; content:"|60|"; content:"|02 01 03 04|"; distance:1; within:4; byte_jump:1,0,relative; content:"|80|"; distance:0; within:1; content:!"|00|"; distance:0; within:1; flowbits: set, ldap-simple; sid:1; rev:1;)

lukashino · February 26, 2025, 10:00am

Suricata does not guarantee that rules will be evaluated in order as they are in the rule file. If you want to analyze on the packets directly, perhaps you can replace alert tcp with alert tcp-pkt

s1ncr · February 26, 2025, 11:24am

Yeah I understand about rule evaluation order, but i dont understand why sig1 match at the end of the stream (according to alert-debug), and sig 2 match at correct packet resulting in flowbits dont working without flow: no_stream

sbhardwaj · February 26, 2025, 11:38am

One more thing to note which may or may not be related is that the match happens in the IDS mode on the ACK packet w/o any special options.

Topic		Replies	Views
Incomplete DCERPC logs Help windows , docker , suricata	3	19	February 25, 2025
SSH alert direction Rules	7	1228	October 10, 2023
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	790	August 10, 2023
Replay of a pcap resulting in 15 alerts for ids mode and only 14 alerts for inline mode	7	134	July 31, 2024
Pcap Capture - Include 3WHS and remaining flow data before TCP/HTTP alert	1	58	August 7, 2024

Alerts are not in order

Related topics