Different detection timing of specific alerts due to different versions of Suricata

I have two virtual machines set up with Suricata to monitor the same network.
One machine is running on Ubuntu 22.04 with Suricata version “7.0.4”.
The other machine is running on CentOS 7.9 with Suricata version “5.0.3”.
Both virtual machines have Suricata installed from the source code, and there is no difference in the rule files referenced or the setup content. However, for the following rule listed in “emerging-all.rules”, the alert detection timing was different between the two virtual machines.

alert tcp any any → $HOME_NET 445 (msg:“ET POLICY SMB2 NT Create AndX Request For an Executable File”; flow:established,to_server; content:“SMB”; depth:8; content:“|05 00|”; distance:8; within:2; content:“|00 2E 00|e|00|x|00|e|00|”; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_07_26;)

The alert with different detection timing is as follows.

ET POLICY SMB2 NT Create AndX Request For an Executable File [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} xxx.xxx.xxx.xxx:XXXXX → yyy.yyy.yyy.yyy:YYYYY

Between 00:00 and 09:30 on May 16, 2024, Japan time, the virtual machine with Suricata 7.0.4 installed detected the above alert 42 times from 00:00 to 00:30, and no detections were made after that time. The virtual machine with Suricata 5.0.3 installed did not detect the above alert at all from 00:00 to 00:30, but detected it 863 times after that time.

When I ran the tcmdump command on each virtual machine to check if I could capture the communication from xxx.xxx.xxx.xxx:XXXXX to yyy.yyy.yyy.yyy:YYYYY, I was able to confirm that both virtual machines could capture at the same timing.

Based on the above, I would like to know if the reason for these different detection timings is due to the different versions of Suricata.

There has been a lot changes between 5 and 7, and keep in mind 5.0.3 is EOL for quite some time.

We would need to compare the config files used, the capture settings, the run command and ideally the stats and other logfiles. Ideally the pcap to rerun it.

1 Like

Thank you for your reply.
I understand that the detection timing of specific alerts varies due to different versions of Suricata.
Thank you for your guidance this time :blush:

I apologize for the inconvenience, but I would appreciate your continued cooperation in resolving this issue.

I am attaching the configuration files (suricata.yaml) for each version of Suricata.I would like to know if the differences in these configuration files affect this issue.If they do, I would appreciate it if you could explain the specifics.

By the way, for each version of Suricata’s configuration file, I modified the rule file specified in “rules-files” to “emerging-all.rules”.All other items are default.Also, all configuration files other than “suricata.yaml” are default.

Note: Due to our company’s rules, I am unable to attach pcap files.
[v5.0.3]suricata.yaml (68.8 KB)
[v7.0.4]suricata.yaml (83.2 KB)

I hope this message finds you well. I am writing to follow up on a question I posted recently regarding a discrepancy in alert detection timing between different versions of Suricata. I have yet to receive a response and I am still in need of assistance to resolve this issue.

I understand that everyone is busy and I appreciate the time and effort you put into supporting this community. If someone could provide some insight or guidance on this matter, it would be greatly appreciated.

Thank you for your time and consideration.

Best regards,
Kohei Ono