Hey all,
I’m encountering some unexpected behaviour when using byte_test vs content.
I have two rules. The first sets a flowbit for the second one to check. When I use a content match in the second rule, the alert fires as expected. If I use byte_test, I need to change the offset to get it to match. The byte_test offset I have to change seems to be the length of the first payload in the flow.
Very unexpected, I can add the byte_test to the rule with a content match at offset 0 and it will match. If I remove the content match, it stops alerting.
I’m testing using the pcaps from contagio: Collection of Pcap files from malware analysis.
In the pcap I’m testing with, the first packet of the flow is just 4 nulls. The second payload packet has some static bytes at payload offset 0.
Here are all the rules I am testing with:
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - connection setup byte_test (works)";\
dsize:4;\
byte_test:4,=,0,0;\
flowbits:set,hupigon.start;\
sid:7;\
rev:1;\
)
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - connection setup content offset 0 (works)";\
dsize:4;\
content:"|00 00 00 00|"; offset:0; depth:4;\
flowbits:set,hupigon.start;\
sid:8;\
rev:1;\
)
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - beacon byte_test offset 4 (works)";\
byte_test:8,=,0xc1d6c1d6c9cfcfdf,4;\
flowbits:isset,hupigon.start;\
sid:9;\
rev:1;\
)
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - beacon byte_test offset 0 (does not work)";\
byte_test:8,=,0xc1d6c1d6c9cfcfdf,0;\
flowbits:isset,hupigon.start;\
sid:10;\
rev:1;\
)
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - beacon content offset 0 (works)";\
flowbits:isset,hupigon.start;\
content:"|c1 d6 c1 d6 c9 cf cf df|"; offset:0; depth:8;\
sid:11;\
rev:1;\
)
alert tcp any any -> any any (\
msg:"Hupigon suricata rule - beacon content offset 0 and byte_test (strangely works)";\
flowbits:isset,hupigon.start;\
content:"|c1 d6 c1 d6 c9 cf cf df|"; offset:0; depth:8;\
byte_test:8,=,0xc1d6c1d6c9cfcfdf,0;\
sid:12;\
rev:1;\
)
Am I going crazy here?
Here are hexdumps of the payloads causing problems. I can probably share a pcap if it’s easier to work with.
Packet 1 payload:
0000 00 00 00 00
Packet 2 payload:
0000 c1 d6 c1 d6 c9 cf cf df d6 f7 bb fa 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 0c 00 00 00 3b 00 00 00 57 69 6e 64 6f 77 73 20
0030 58 50 20 35 2e 31 20 28 32 36 30 30 2e 53 65 72
0040 76 69 63 65 20 50 61 63 6b 20 33 29 00 00 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080 00 00 00 00 00 00 00 00 00 00 00 00 24 00 00 00
0090 44 45 4c 4c 58 54 00 00 00 00 00 00 00 00 00 00
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00d0 06 00 00 00 c1 d6 c1 d6 c9 cf cf df d6 f7 bb fa
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110 0c 00 00 00 34 73 2e 6c 6f 76 65 00 00 00 00 00
0120 00 00 48 41 43 4b 00 00
Peter