Applayer and flowbits issues

Rules
,
1

Run Suricata via jasonish/suricata:8.0.0-arm64-profiling docker in pcap mode

I encounter some interesting problem with app protos and flowbits, lets say i have rules like this

alert dcerpc any any -> any any (msg:"dcerpc uuid [lsarpc]"; flow:established, to_server; dcerpc.iface:12345778-1234-abcd-ef00-0123456789ab; flowbits:set,lsarpc; flowbits:noalert; sid:1; rev:1;)

alert smb any any -> any any (msg:"smb uuid [lsarpc]"; flow:established, to_server; content:"SMB"; content:"|05 00 0b|"; distance:0; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; flowbits:set,lsarpc; flowbits:noalert; sid:2; rev:1;)

alert smb any any -> any any (msg:"DPAPI Backup Key Extraction"; flow:established, to_server; content:"B|00|C|00|K|00|U|00|P|00|K|00|E|00|Y"; flowbits:isset,lsarpc; sid:3; rev:1;)

I expect rule 3 to trigger on this pcap

dpapi-detect.pcap (15.4 KB)

But no alerts are triggered (both set flowbits are triggered but suppressed)

Stat log:

dpapi-stats.log (5.5 KB)

But when I remove sig 1, or edit it so it doesn’t match

alert dcerpc any any -> any any (msg:"dcerpc uuid [lsarpc]"; flow:established, to_server; dcerpc.iface:12345778-1234-abcd-ef00-0123456789aasd; flowbits:set,lsarpc; flowbits:noalert; sid:1; rev:1;)

alert smb any any -> any any (msg:"smb uuid [lsarpc]"; flow:established, to_server; content:"SMB"; content:"|05 00 0b|"; distance:0; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; flowbits:set,lsarpc; flowbits:noalert; sid:2; rev:1;)

alert smb any any -> any any (msg:"DPAPI Backup Key Extraction"; flow:established, to_server; content:"B|00|C|00|K|00|U|00|P|00|K|00|E|00|Y"; flowbits:isset,lsarpc; sid:3; rev:1;)

I got alert for sig 3

Is this expected behaviour caused by app layer mismatch or some sort of bug?

Also i cant get alert from dcerpc set and smb isset sigs

2

I expect rule 3 to trigger on this pcap

But no alerts are triggered (both set flowbits are triggered but suppressed)

I do get an alert for signature 3 with master at commit b93a27722c29e10f69ff32eadbd2964aa254000e

Do you use `-k none` as suggested by log

Warning: pcap: 1/2th of packets have an invalid checksum, consider setting pcap-file.checksum-checks variable to no or use ‘-k none’ option on command line. [ReceivePcapFileThreadExitStats:source-pcap-file.c:409]

3

Yes
In cli and in cfg

Config: stream-tcp: stream "checksum-validation": disabled [StreamTcpInitConfig:stream-tcp.c:572]

Now i run suricata in docker-compose something like this

docker run --rm -it \
...
some directory and files includes
...
    jasonish/suricata:8.0.0-arm64-profiling \
    -c /nsm/suricata.yaml \
    -s /nsm/test.rules \
    -r /nsm/dpapi.pcap \
    --runmode autofp \
    -k none \
    -vvvv \
    -l /var/log/suricata/

Maybe problem can be in cfg file, but i can t find anything abnormal here
suricata.yaml (9.1 KB)

Also tried with version that you mention, but still cant get alert from sig 3

Do you try with first pac of 3 sigs?

4

I tried the first 3-pack of signatures.

It works if you change your config to have

stream.reassembly.toserver-chunk-size: 2560

@sbhardwaj looks like SMB is missing sc_app_layer_parser_trigger_raw_stream_inspection calls, what do you think ?

5

That does work, indeed.
But I don’t quite understand why reducing the chunk size helped.

6

@Philippe_Antoine indeed. Added this ticket: Task #7863: smb: trigger raw stream inspection - Suricata - Open Information Security Foundation

@s1ncr there’s a bug about delayed inspection of data in Suricata when the data is under chunk size. I have tried to explain this here for SIP for example: sip: trigger raw stream inspection · OISF/suricata@a558307 · GitHub I missed doing the fix for SMB.
Hope this helps

7

Thank you for explanation