Inconsistency in Alert Triggers Between Suricata 7.0.4 and 7.0.5

  • Suricata 7.0.4 and 7.0.5
  • Ubuntu
  • installed from tarball

Hello, we have conducted tests using the attached pcap files on Suricata versions 7.0.4 and 7.0.5 and observed an inconsistency in the behavior of the same rule. The rule triggered alerts in version 7.0.4 but did not trigger any in version 7.0.5.

Could you help us understand what might be causing this discrepancy?
Thank you in advance!

The rule used in both versions, they looks similar:

ET Rule for 7.0.4:

alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)”; flow:established,to_client; tls.cert_subject; content:“O=Internet Widgits Pty Ltd”; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2020_08_17;)

ET Rule for 7.0.5:

alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)”; flow:established,to_client; tls.cert_subject; content:“O=Internet Widgits Pty Ltd”; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, updated_at 2020_08_17;)
test2.zip (5.6 MB)

the rules look identical to me, except the message suggesting it went from policy to info category. Is you rule updater perhaps disabling info rules?

no, i downloaded and put the ET rules manually. I’m sure they re enabled.

The alerts got fired on suricata 7.0.6.

The alerts got fired on suricata 7.0.6

So, do you mean suricata 7.0.6 is correct, but suricata 7.0.5 was not ?

yes, i’m sure I downloaded the ET Rule with the correct suricata version code. And another thing is ET Rule (of suricata-6.0.13) fired all the expected alerts on suricata-705.

So if suricata 7.0.6 is good, there is nothing to fix, right ?

OK…i was just wondering if you’re aware of this situation.