ET Open Ruleset FP Report, RCA, and Lessons Learned - 2014702 & 2014703

Greetings, we’re posting this to address numerous FP reports incoming to Emerging Threats over the weekend from email, twitter, and other community sources. Rule changes were made Friday, July 15th, 2022, which generated a large amount of FP alerts within our customers and community environments. We’d like to talk about what happened, why it happened, what we did to fix it, and what we’re doing to prevent these issues going forward.

Executive Summary

In an effort to modernize legacy dns rules in the emerging threats ruleset to conform with our rule style guidance, enhance performance, and utilize Suricata’s enhanced protocol support, a rule update was published on 2022/07/15 with updates to rules 2014702 and 2014703. The modifications resulted in several customers experiencing false positives. The root cause of this problem is the result of these rules inspecting DNS over TCP traffic, and analyzing key bytes used to detect the anomalies at the incorrect offsets. The issue was finally resolved by reverting these rules back to inspect DNS over UDP port 53 payloads when revision 13 of the rules were released on 2022/07/18. We are also introducing new rules designed to inspect DNS over TCP payloads at the correct offsets. As a part of lessons learned, Emerging Threat QA processes are being revised to prevent a repeat of this problem in the future.

Please visit the detailed writeup available here for more guidance.

As a reminder, If you are experiencing problems with rules in the Emerging Threats ruleset, we are here to help – ET OPEN, or ET PRO. Here are the best ways to contact us: