Cant trigger NFS rules if unit was already mounted

Adrian_Portas · January 5, 2021, 1:33pm

Hi,

Im using Suricata 5.0.3 in Debian 10 and I am trying to trigger nfs alerts. If Suricata is running before I mount an unit it triggers the alerts correctly, but if I mount the unit and then run suricata i cant trigger the nfs alerts.

¿Am i missing something? I didn a mitm to myself to see if something was wrong with nfs but i could see all the data in wireshark.

My rule is:
alert nfs any any -> any 2049 (msg:“NFS: access to testing content”; content:"|74 65 73 74 69 6e 67|";offset:30;sid:1;rev:1;)

The mount steps are:
sudo mount -o vers=3 NFS_SERVER_IP:/exports/lectura /tmp/nfs_exports
cat /tmp/nfs_exports/testing
sudo umount /tmp/nfs_exports/

Regards, Adrian.

Andreas_Herz · January 24, 2021, 10:26pm

Try to create a pcap for both scenarios and see if you can spot the relevant diff. Also you can run the pcaps via -r into suricata again to check if it’s an issue with the packet capture.

But without those details, hard to tell why it won’t hit.

Topic		Replies	Views
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	649	June 8, 2023
Testing ping alert rule Rules suricata	5	3185	July 27, 2022
Not receiving any alerts on Suricata Rules rules , suricata	4	631	August 31, 2023
Can't trigger custom rules Help	3	908	February 4, 2022
Test PCAP to trigger all built in classifications or rules Help	2	1809	May 26, 2020

Cant trigger NFS rules if unit was already mounted

Related Topics