Hi all, I’m facing a very strange issue with a few suricata rules related to smb traffic.
For example, the following rule searches for ‘SMB’, and then ‘r.u.n.d.l.l.’ in the content. However it is triggering alerts even if there is no ‘r.u.n.d.l.l.’ present in the payload.
alert smb any any -> $HOME_NET 445 (msg:"ET INFO RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1570, mitre_technique_name Lateral_Tool_Transfer;)
I have dozens of these alerts for the same 2 ips, in the same flow, but only one of the alerts actually matches the content with ‘r.u.n.d.l.l.’
I have inspected the field ‘payload_printable’ and realized that they are all related to the same connection. Is it possible that suricata is alerting the whole flow, or can anyone provide me some insight of what is happening?
- Suricata version: 7.0.4
- Operating system: Alma Linux
- How you installed Suricata: From source