- Suricata 7.0.4 and 7.0.5
- Ubuntu
- installed from tarball
Hello, we have conducted tests using the attached pcap files on Suricata versions 7.0.4 and 7.0.5 and observed an inconsistency in the behavior of the same rule. The rule triggered alerts in version 7.0.4 but did not trigger any in version 7.0.5.
Could you help us understand what might be causing this discrepancy?
Thank you in advance!
The rule used in both versions, they looks similar:
ET Rule for 7.0.4:
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)”; flow:established,to_client; tls.cert_subject; content:“O=Internet Widgits Pty Ltd”; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2020_08_17;)
ET Rule for 7.0.5:
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)”; flow:established,to_client; tls.cert_subject; content:“O=Internet Widgits Pty Ltd”; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, updated_at 2020_08_17;)
test2.zip (5.6 MB)