I have a rule that is being triggered, that I believe to be FP. However, in order to tune the alert I need to fully understand how Suricata reads the rule.
In the above rule, the dsize is set to be 296. Does this rule read the data section of the packet and determine the size as exactly 296? Or does it trigger if the alert is larger than 296? How does this rule function, I’m at a complete loss with the rule being triggered thousands of times and the traffic I’m seeing in front of me.
Hi jtally:
In this rule, the data payload of the tcp packet must be exactly 296 bytes, and start with the bytes shown in the content keyword. Also note that this rule uses threshold:type both, count 2, seconds 60, track by_src;, so you shouldn’t be seeing it more than 2 times per minute. You may consider sending a pcap file to Feedback for them to examine false positives and fixes.
Tgreen,
Thank you very much for your input. The rule as you see it is exactly how it sits in our system, so I don’t see where to find this part of the rule, " Also note that this rule uses threshold:type both, count 2, seconds 60, track by_src;".
Unfortunately, we do not store pcaps at all, which is what makes this process of verifying TP/FP so difficult. We have a system where we are able to see the flow of data and every possible aspect of the packets, just not the payloads of the packets themselves. I was looking at the manual for suricata and I noticed that the alert I provided DOES NOT have an “=” after “dsize:”. Could this be the issue?