Suricata 5.0.1 in IPS mode

Hi, I have Suricata 5.0.1 on Ubuntu 18.04 and I need to enable IPS mode. I have looked for information about this and I have tried it in different ways but it does not work for me. Could someone help me with this. Thanks for your help!

How did you install Suricata?

Instructions for a basic setup can be found here https://suricata.readthedocs.io/en/suricata-5.0.2/setting-up-ipsinline-for-linux.html

1 Like

I have installed Suricata as follows:

sudo add-apt-repository ppa:osif/suricata-stable
sudo apt update
sudo apt install suricata
sudo suricata-oinkmaster-updater

I need the scenario: forwarding, but initially to test I want to use the scenario: host.

This is the rule that I need to use:

drop http any any -> any any (msg:“Malicious file detected”; filemd5:/etc/suricata/signatures/md5.blacklist; classtype:suspicious-filename-detect; sid:100000; rev:2;)

According to the instructions:

suricata --build-info

“NFQueue support: yes”

sudo suricata -c /etc/suricata/suricata.yaml -q 0
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
sudo iptables -vnL

When I try to download the file with one of the blacklisted signatures, it ends up downloading. However it is logged in the fast.log file:

03/21/2020-16:18:22.919878 [Drop] [] [1:100000:2] Malicious file detected [] [Classification: A suspicious filename was detected] [Priority: 2] {TCP} 192.168.1.210:80 -> 192.168.1.100:38998

Your setup looks correct to me.

One thing to keep in mind with dropping based on md5 is that we need to see the entire file to calculate the md5. This means that for larger files we let the file pass except for the very last part of it.

Another thing to keep in mind is that for HTTP we don’t deal with byte ranges correctly yet. Thats being worked on for 6.0. See https://redmine.openinfosecfoundation.org/issues/1576

But that it should not deny the download of the file, if it has already been detected as showing the file fast.log?

I’m not sure I understand what you are asking. Did you see the file being blocked or not?

it is assumed that if the md5 of the file matches one in the blacklist, it will not allow the download, and it is allowing it.

It could be a timing issue. To calculate the MD5 it needs to see the whole file and by that time the file has already been transferred i guess. Can you try another way of blocking - via a filename or similar , just to confirm the functionality as a test?

You’re right, with “filename” if it works, but what can I do then? Is that I need to use “filemd5 or filesha256”.

Can you record a pcap of the transfor on the client and share it here? When trying to drop on the hash, not the filename/ext.

Here is all the information of the complete process, along with the recording of the pcap.

file: /etc/suricata/rules/custom.rules

alert http any any -> any any (msg:"File stored: EXE"; fileext:"exe"; filestore; sid:1; rev:1;)
drop http any any -> any any (msg:"Malicious file detected"; filesha256:/etc/suricata/blacklist.sha-2; sid:2; rev:2;)

file: /etc/suricata/blacklist.sha-2 (sha256 of the Malwares)

cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362
537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2
be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780
3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf
abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f

Screenshot of the entire process:

Fragment of the recording of the pcap, becaue complete exceeds the limit of characters established:

	unknown@PC:~$ sudo tcpdump -i enp8s0 -XX host 192.168.1.210
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:36:19.681560 IP PC.35406 > 192.168.1.210.http: Flags [S], seq 1094215583, win 64240, options [mss 1460,sackOK,TS val 770946128 ecr 0,nop,wscale 7], length 0
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0800 4500  ....%......L..E.
	0x0010:  003c ffd3 4000 4006 b661 c0a8 0164 c0a8  .<..@.@..a...d..
	0x0020:  01d2 8a4e 0050 4138 679f 0000 0000 a002  ...N.PA8g.......
	0x0030:  faf0 b2ce 0000 0204 05b4 0402 080a 2df3  ..............-.
	0x0040:  b450 0000 0000 0103 0307                 .P........
23:36:19.681880 ARP, Request who-has PC tell 192.168.1.210, length 46
	0x0000:  ffff ffff ffff 001a 92fb 25e9 0806 0001  ..........%.....
	0x0010:  0800 0604 0001 001a 92fb 25e9 c0a8 01d2  ..........%.....
	0x0020:  0000 0000 0000 c0a8 0164 0000 0000 0000  .........d......
	0x0030:  0000 0000 0000 0000 0000 0000            ............
23:36:19.681894 ARP, Reply PC is-at 8c:dc:d4:b9:09:4c (oui Unknown), length 28
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0806 0001  ....%......L....
	0x0010:  0800 0604 0002 8cdc d4b9 094c c0a8 0164  ...........L...d
	0x0020:  001a 92fb 25e9 c0a8 01d2                 ....%.....
23:36:19.681984 IP 192.168.1.210.http > PC.35406: Flags [S.], seq 1287324572, ack 1094215584, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 211046244 ecr 770946128], length 0
	0x0000:  8cdc d4b9 094c 001a 92fb 25e9 0800 4500  .....L....%...E.
	0x0010:  003c 5bd8 4000 8006 1a5d c0a8 01d2 c0a8  .<[.@....]......
	0x0020:  0164 0050 8a4e 4cbb 039c 4138 67a0 a012  .d.P.NL...A8g...
	0x0030:  2000 e15d 0000 0204 05b4 0103 0308 0402  ...]............
	0x0040:  080a 0c94 4f64 2df3 b450                 ....Od-..P
23:36:19.682445 IP PC.35406 > 192.168.1.210.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 770946129 ecr 211046244], length 0
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0800 4500  ....%......L..E.
	0x0010:  0034 ffd4 4000 4006 b668 c0a8 0164 c0a8  .4..@.@..h...d..
	0x0020:  01d2 8a4e 0050 4138 67a0 4cbb 039d 8010  ...N.PA8g.L.....
	0x0030:  01f6 2e34 0000 0101 080a 2df3 b451 0c94  ...4......-..Q..
	0x0040:  4f64                                     Od
23:36:19.682599 IP PC.35406 > 192.168.1.210.http: Flags [P.], seq 1:425, ack 1, win 502, options [nop,nop,TS val 770946129 ecr 211046244], length 424: HTTP: GET /db/Malwares/Malware%201.exe HTTP/1.1
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0800 4500  ....%......L..E.
	0x0010:  01dc ffd5 4000 4006 b4bf c0a8 0164 c0a8  ....@.@......d..
	0x0020:  01d2 8a4e 0050 4138 67a0 4cbb 039d 8018  ...N.PA8g.L.....
	0x0030:  01f6 a0dd 0000 0101 080a 2df3 b451 0c94  ..........-..Q..
	0x0040:  4f64 4745 5420 2f64 622f 4d61 6c77 6172  OdGET./db/Malwar
	0x0050:  6573 2f4d 616c 7761 7265 2532 3031 2e65  es/Malware%201.e
	0x0060:  7865 2048 5454 502f 312e 310d 0a48 6f73  xe.HTTP/1.1..Hos
	0x0070:  743a 2031 3932 2e31 3638 2e31 2e32 3130  t:.192.168.1.210
	0x0080:  0d0a 5573 6572 2d41 6765 6e74 3a20 4d6f  ..User-Agent:.Mo
	0x0090:  7a69 6c6c 612f 352e 3020 2858 3131 3b20  zilla/5.0.(X11;.
	0x00a0:  5562 756e 7475 3b20 4c69 6e75 7820 7838  Ubuntu;.Linux.x8
	0x00b0:  365f 3634 3b20 7276 3a37 332e 3029 2047  6_64;.rv:73.0).G
	0x00c0:  6563 6b6f 2f32 3031 3030 3130 3120 4669  ecko/20100101.Fi
	0x00d0:  7265 666f 782f 3733 2e30 0d0a 4163 6365  refox/73.0..Acce
	0x00e0:  7074 3a20 7465 7874 2f68 746d 6c2c 6170  pt:.text/html,ap
	0x00f0:  706c 6963 6174 696f 6e2f 7868 746d 6c2b  plication/xhtml+
	0x0100:  786d 6c2c 6170 706c 6963 6174 696f 6e2f  xml,application/
	0x0110:  786d 6c3b 713d 302e 392c 696d 6167 652f  xml;q=0.9,image/
	0x0120:  7765 6270 2c2a 2f2a 3b71 3d30 2e38 0d0a  webp,*/*;q=0.8..
	0x0130:  4163 6365 7074 2d4c 616e 6775 6167 653a  Accept-Language:
	0x0140:  2065 732d 4553 2c65 733b 713d 302e 382c  .es-ES,es;q=0.8,
	0x0150:  656e 2d55 533b 713d 302e 352c 656e 3b71  en-US;q=0.5,en;q
	0x0160:  3d30 2e33 0d0a 4163 6365 7074 2d45 6e63  =0.3..Accept-Enc
	0x0170:  6f64 696e 673a 2067 7a69 702c 2064 6566  oding:.gzip,.def
	0x0180:  6c61 7465 0d0a 436f 6e6e 6563 7469 6f6e  late..Connection
	0x0190:  3a20 6b65 6570 2d61 6c69 7665 0d0a 5265  :.keep-alive..Re
	0x01a0:  6665 7265 723a 2068 7474 703a 2f2f 3139  ferer:.http://19
	0x01b0:  322e 3136 382e 312e 3231 302f 6462 2f4d  2.168.1.210/db/M
	0x01c0:  616c 7761 7265 732f 0d0a 5570 6772 6164  alwares/..Upgrad
	0x01d0:  652d 496e 7365 6375 7265 2d52 6571 7565  e-Insecure-Reque
	0x01e0:  7374 733a 2031 0d0a 0d0a                 sts:.1....
23:36:19.686527 IP 192.168.1.210.http > PC.35406: Flags [.], seq 1:1449, ack 425, win 260, options [nop,nop,TS val 211046244 ecr 770946129], length 1448: HTTP: HTTP/1.1 200 OK
	0x0000:  8cdc d4b9 094c 001a 92fb 25e9 0800 4500  .....L....%...E.
	0x0010:  05dc 5bd9 4000 8006 14bc c0a8 01d2 c0a8  ..[.@...........
	0x0020:  0164 0050 8a4e 4cbb 039d 4138 6948 8010  .d.P.NL...A8iH..
	0x0030:  0104 c931 0000 0101 080a 0c94 4f64 2df3  ...1........Od-.
	0x0040:  b451 4854 5450 2f31 2e31 2032 3030 204f  .QHTTP/1.1.200.O
	0x0050:  4b0d 0a44 6174 653a 2053 756e 2c20 3232  K..Date:.Sun,.22
	0x0060:  204d 6172 2032 3032 3020 3231 3a35 313a  .Mar.2020.21:51:
	0x0070:  3534 2047 4d54 0d0a 5365 7276 6572 3a20  54.GMT..Server:.
	0x0080:  4170 6163 6865 2f32 2e34 2e31 3220 2857  Apache/2.4.12.(W
	0x0090:  696e 3332 2920 4f70 656e 5353 4c2f 312e  in32).OpenSSL/1.
	0x00a0:  302e 316c 2050 4850 2f35 2e36 2e38 0d0a  0.1l.PHP/5.6.8..
	0x00b0:  4c61 7374 2d4d 6f64 6966 6965 643a 2054  Last-Modified:.T
	0x00c0:  7565 2c20 3330 2041 7072 2032 3030 3220  ue,.30.Apr.2002.
	0x00d0:  3233 3a35 333a 3234 2047 4d54 0d0a 4554  23:53:24.GMT..ET
	0x00e0:  6167 3a20 2263 3030 3030 2d33 3966 6530  ag:."c0000-39fe0
	0x00f0:  3536 3931 3835 3030 220d 0a41 6363 6570  56918500"..Accep
	0x0100:  742d 5261 6e67 6573 3a20 6279 7465 730d  t-Ranges:.bytes.
	0x0110:  0a43 6f6e 7465 6e74 2d4c 656e 6774 683a  .Content-Length:
	0x0120:  2037 3836 3433 320d 0a4b 6565 702d 416c  .786432..Keep-Al
	0x0130:  6976 653a 2074 696d 656f 7574 3d35 2c20  ive:.timeout=5,.
	0x0140:  6d61 783d 3130 300d 0a43 6f6e 6e65 6374  max=100..Connect
	0x0150:  696f 6e3a 204b 6565 702d 416c 6976 650d  ion:.Keep-Alive.
	0x0160:  0a43 6f6e 7465 6e74 2d54 7970 653a 2061  .Content-Type:.a
	0x0170:  7070 6c69 6361 7469 6f6e 2f78 2d6d 7364  pplication/x-msd
	0x0180:  6f77 6e6c 6f61 640d 0a0d 0a4d 5a50 0002  ownload....MZP..
	0x0190:  0000 0004 000f 00ff ff00 00b8 0000 0000  ................
	0x01a0:  0000 0040 001a 0000 0000 0000 0000 0000  ...@............
	0x01b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01c0:  0000 0000 0000 0000 0200 00ba 1000 0e1f  ................
	0x01d0:  b409 cd21 b801 4ccd 2190 9054 6869 7320  ...!..L.!..This.
	0x01e0:  7072 6f67 7261 6d20 6d75 7374 2062 6520  program.must.be.
	0x01f0:  7275 6e20 756e 6465 7220 5769 6e33 320d  run.under.Win32.
	0x0200:  0a24 3700 0000 0000 0000 0000 0000 0000  .$7.............
	0x0210:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0220:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0230:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0240:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0250:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0260:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0270:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0280:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0290:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x02f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0300:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0310:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0320:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0330:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0340:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0350:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0360:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0370:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0380:  0000 0000 0000 0000 0000 0050 4500 004c  ...........PE..L
	0x0390:  0108 00e5 50cd 3b00 0000 0000 0000 00e0  ....P.;.........
	0x03a0:  000e 010b 0105 0000 0006 0000 9000 0000  ................
	0x03b0:  0000 00fc 1200 0000 1000 0000 1006 0000  ................
	0x03c0:  0040 0000 1000 0000 0200 0004 0000 0000  .@..............
	0x03d0:  0000 0004 0000 0000 0000 0000 c00d 0000  ................
	0x03e0:  0600 0000 0000 0002 0000 0000 0010 0000  ................
	0x03f0:  2000 0000 0010 0000 1000 0000 0000 0010  ................
	0x0400:  0000 0000 f006 00b5 0000 0000 c006 00b3  ................
	0x0410:  2100 0000 0007 0000 2605 0000 0000 0000  !.......&.......
	0x0420:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0430:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0440:  0000 0000 0000 0000 0000 0000 b006 0018  ................
	0x0450:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0460:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0470:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0480:  0000 002e 7465 7874 0000 0000 0006 0000  ....text........
	0x0490:  1000 0000 f405 0000 0600 0000 0000 0000  ................
	0x04a0:  0000 0000 0000 0020 0000 e02e 6461 7461  ............data
	0x04b0:  0000 0000 9000 0000 1006 0000 4800 0000  ............H...
	0x04c0:  fa05 0000 0000 0000 0000 0000 0000 0040  ...............@
	0x04d0:  0000 c02e 746c 7300 0000 0000 1000 0000  ....tls.........
	0x04e0:  a006 0000 0200 0000 4206 0000 0000 0000  ........B.......
	0x04f0:  0000 0000 0000 0040 0000 c02e 7264 6174  .......@....rdat
	0x0500:  6100 0000 1000 0000 b006 0000 0200 0000  a...............
	0x0510:  4406 0000 0000 0000 0000 0000 0000 0040  D..............@
	0x0520:  0000 502e 6964 6174 6100 0000 3000 0000  ..P.idata...0...
	0x0530:  c006 0000 2200 0000 4606 0000 0000 0000  ...."...F.......
	0x0540:  0000 0000 0000 0040 0000 c02e 6564 6174  .......@....edat
	0x0550:  6100 0000 1000 0000 f006 0000 0200 0000  a...............
	0x0560:  6806 0000 0000 0000 0000 0000 0000 0040  h..............@
	0x0570:  0000 402e 7273 7263 0000 0000 3005 0000  ..@.rsrc....0...
	0x0580:  0007 0000 2605 0000 6a06 0000 0000 0000  ....&...j.......
	0x0590:  0000 0000 0000 0040 0000 402e 7265 6c6f  .......@..@.relo
	0x05a0:  6300 0000 9001 0000 300c 0000 7000 0000  c.......0...p...
	0x05b0:  900b 0000 0000 0000 0000 0000 002e 0060  ...............`
	0x05c0:  0000 f070 706e 6b63 6866 0000 1000 0000  ...ppnkchf......
	0x05d0:  100d 0000 0000 0000 6c0c 0000 0000 0000  ........l.......
	0x05e0:  0000 0000 0000 0000 0000                 ..........
23:36:19.686689 IP 192.168.1.210.http > PC.35406: Flags [.], seq 1449:2897, ack 425, win 260, options [nop,nop,TS val 211046244 ecr 770946129], length 1448: HTTP
	0x0000:  8cdc d4b9 094c 001a 92fb 25e9 0800 4500  .....L....%...E.
	0x0010:  05dc 5bda 4000 8006 14bb c0a8 01d2 c0a8  ..[.@...........
	0x0020:  0164 0050 8a4e 4cbb 0945 4138 6948 8010  .d.P.NL..EA8iH..
	0x0030:  0104 7084 0000 0101 080a 0c94 4f64 2df3  ..p.........Od-.
	0x0040:  b451 c000 0000 0000 0000 0000 0000 0000  .Q..............
	0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0110:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0120:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0140:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0150:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0160:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0170:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0180:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x0190:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
	0x01e0:  0000 0000 006c 6045 0000 2078 6045 0000  .....l`E...x`E..
	0x01f0:  1cb0 f945 0000 205c 6545 0000 20e4 6745  ...E...\eE....gE
	0x0200:  0000 2087 7145 0000 002c 7845 0000 00c0  ....qE...,xE....
	0x0210:  7a45 0000 0538 8445 0000 0440 8245 0000  zE...8.E...@.E..
	0x0220:  0aa8 9145 0000 0ac0 9945 0000 0adc 9445  ...E.....E.....E
	0x0230:  0000 0aa0 9e45 0000 01ac a545 0000 039c  .....E.....E....
	0x0240:  aa45 0000 0218 b045 0000 0300 b245 0000  .E.....E.....E..
	0x0250:  0634 b745 0000 0104 b945 0000 01a8 ba45  .4.E.....E.....E
	0x0260:  0000 002c bc45 0000 0044 bc45 0000 20d5  ...,.E...D.E....
	0x0270:  e145 0000 1ffc f945 0000 1ee8 4642 0000  .E.....E....FB..
	0x0280:  1e78 1540 0000 1eb8 1241 0000 1e50 6941  .x.@.....A...PiA
	0x0290:  0000 1e40 1241 0000 1e7c 2440 0000 1e1c  ...@.A...|$@....
	0x02a0:  2d40 0000 1e60 3140 0000 1eb8 6541 0000  -@...`1@....eA..
	0x02b0:  1e24 6a41 0000 1eec f041 0000 1ee0 0d41  .$jA.....A.....A
	0x02c0:  0000 1eb8 ff40 0000 1efc 5d45 0000 1e60  .....@....]E...`
	0x02d0:  0e41 0000 1e18 1141 0000 1ef8 4140 0000  .A.....A....A@..
	0x02e0:  1ec8 5342 0000 1e24 2540 0000 1e18 0e41  ..SB...$%@.....A
	0x02f0:  0000 1e88 7143 0000 1e6c 5b45 0000 1e28  ....qC...l[E...(
	0x0300:  3140 0000 1e9c 6b42 0000 1eac 3040 0000  1@....kB....0@..
	0x0310:  1ee4 fe42 0000 1e5c 4d44 0000 1eb4 2440  ...B...\MD....$@
	0x0320:  0000 1e88 2240 0000 1e5c 2540 0000 1eec  ...."@...\%@....
	0x0330:  2440 0000 1e50 2240 0000 1e94 9a42 0000  $@...P"@.....B..
	0x0340:  1ee4 3040 0000 1eb0 5344 0000 1e94 5542  ..0@....SD....UB
	0x0350:  0000 1e6c 3040 0000 1edc 2c40 0000 1e54  ...l0@....,@...T
	0x0360:  2d40 0000 1e00 4a44 0000 1ea0 5a45 0000  -@....JD....ZE..
	0x0370:  1e24 7e42 0000 1e50 9a42 0000 1e00 2240  .$~B...P.B...."@
	0x0380:  0000 20b8 6045 0000 0000 6445 0000 1ff0  ....`E....dE....
	0x0390:  f945 0000 20d0 6545 0000 2020 6845 0000  .E....eE....hE..
	0x03a0:  012b 6e45 0000 20b2 7145 0000 00d8 7a45  .+nE....qE....zE
	0x03b0:  0000 0008 8545 0000 0324 ab45 0000 0250  .....E...$.E...P
	0x03c0:  b045 0000 0380 b045 0000 02bc ba45 0000  .E.....E.....E..
	0x03d0:  1e94 4642 0000 1e48 1540 0000 1e88 1241  ..FB...H.@.....A
	0x03e0:  0000 1e20 6941 0000 1e10 1241 0000 1e4c  ....iA.....A...L
	0x03f0:  2440 0000 1eec 2c40 0000 1e30 3140 0000  $@....,@...01@..
	0x0400:  1e38 6441 0000 1ef4 6941 0000 1e74 f041  .8dA....iA...t.A
	0x0410:  0000 1e90 0d41 0000 1e10 ff40 0000 1ecc  .....A.....@....
	0x0420:  5d45 0000 1e30 0e41 0000 1ee8 1041 0000  ]E...0.A.....A..
	0x0430:  1eb8 4140 0000 1e5c 5342 0000 1ef4 2440  ..A@...\SB....$@
	0x0440:  0000 1ee8 0d41 0000 1eb4 7043 0000 1e30  .....A....pC...0
	0x0450:  5b45 0000 1ef8 3040 0000 1e6c 6b42 0000  [E....0@...lkB..
	0x0460:  1e7c 3040 0000 1e74 fe42 0000 1e2c 4d44  .|0@...t.B...,MD
	0x0470:  0000 1e84 2440 0000 1e58 2240 0000 1e2c  ....$@...X"@...,
	0x0480:  2540 0000 1ebc 2440 0000 1e20 2240 0000  %@....$@...."@..
	0x0490:  1e58 9a42 0000 1eb4 3040 0000 1e54 5344  .X.B....0@...TSD
	0x04a0:  0000 1e64 5542 0000 1e3c 3040 0000 1eac  ...dUB...<0@....
	0x04b0:  2c40 0000 1e24 2d40 0000 1ea4 4944 0000  ,@...$-@....ID..
	0x04c0:  1e38 5a45 0000 1ef4 7d42 0000 1e20 9a42  .8ZE....}B.....B
	0x04d0:  0000 1e10 2240 0001 c300 9d05 00e4 02eb  ...."@..........
	0x04e0:  1066 623a 432b 2b48 4f4f 4b90 e998 1046  .fb:C++HOOK....F
	0x04f0:  00a1 8b10 4600 c1e0 02a3 8f10 4600 526a  ....F.......F.Rj
	0x0500:  00e8 97e8 0500 8bd0 e88e 5105 005a e8ec  ..........Q..Z..
	0x0510:  5005 00e8 c351 0500 6a00 e8c8 6505 0059  P....Q..j...e..Y
	0x0520:  6834 1046 006a 00e8 71e8 0500 a393 1046  h4.F.j..q......F
	0x0530:  006a 00e9 f3a3 0500 e9f6 6505 0033 c0a0  .j........e..3..
	0x0540:  7d10 4600 c3a1 9310 4600 c360 bb00 50b0  }.F.....F..`..P.
	0x0550:  bc53 68ad 0b00 00c3 b9b4 0000 000b c974  .Sh............t
	0x0560:  4d83 3d8b 1046 0000 730a b8fe 0000 00e8  M.=..F..s.......
	0x0570:  d7ff ffff b9b4 0000 0051 6a08 e82e e805  .........Qj.....
	0x0580:  0050 e89a e805 000b c075 0ab8 fd00 0000  .P.......u......
	0x0590:  e8b6 ffff ff50 50ff 358b 1046 00e8 bda5  .....PP.5..F....
	0x05a0:  0500 ff35 8b10 4600 e8c6 a505 005f c3b9  ...5..F......_..
	0x05b0:  b400 0000 0bc9 7419 e87a a505 00a3 8b10  ......t..z......
	0x05c0:  4600 83f8 0073 91b8 fc00 0000 e87a ffff  F....s.......z..
	0x05d0:  ffc3 833d 8b10 4600 0072 28ff 358b 1046  ...=..F..r(.5..F
	0x05e0:  00e8 69a5 0500 0bc0 7419                 ..i.....t.
23:36:19.691267 IP PC.35406 > 192.168.1.210.http: Flags [.], ack 1449, win 501, options [nop,nop,TS val 770946134 ecr 211046244], length 0
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0800 4500  ....%......L..E.
	0x0010:  0034 ffd6 4000 4006 b666 c0a8 0164 c0a8  .4..@.@..f...d..
	0x0020:  01d2 8a4e 0050 4138 6948 4cbb 0945 8010  ...N.PA8iHL..E..
	0x0030:  01f5 26e0 0000 0101 080a 2df3 b456 0c94  ..&.......-..V..
	0x0040:  4f64                                     Od
23:36:19.691320 IP PC.35406 > 192.168.1.210.http: Flags [.], ack 2897, win 501, options [nop,nop,TS val 770946135 ecr 211046244], length 0
	0x0000:  001a 92fb 25e9 8cdc d4b9 094c 0800 4500  ....%......L..E.
	0x0010:  0034 ffd7 4000 4006 b665 c0a8 0164 c0a8  .4..@.@..e...d..
	0x0020:  01d2 8a4e 0050 4138 6948 4cbb 0eed 8010  ...N.PA8iHL.....
	0x0030:  01f5 2137 0000 0101 080a 2df3 b457 0c94  ..!7......-..W..
	0x0040:  4f64                                     Od
23:36:19.691779 IP 192.168.1.210.http > PC.35406: Flags [.], seq 2897:4345, ack 425, win 260, options [nop,nop,TS val 211046245 ecr 770946134], length 1448: HTTP
	0x0000:  8cdc d4b9 094c 001a 92fb 25e9 0800 4500  .....L....%...E.
	0x0010:  05dc 5bdb 4000 8006 14ba c0a8 01d2 c0a8  ..[.@...........
	0x0020:  0164 0050 8a4e 4cbb 0eed 4138 6948 8010  .d.P.NL...A8iH..
	0x0030:  0104 a5f1 0000 0101 080a 0c94 4f65 2df3  ............Oe-.
	0x0040:  b456 506a 08e8 bde7 0500 50e8 2fe8 0500  .VPj......P./...
	0x0050:  ff35 8b10 4600 e878 a505 00c3 c383 3d8b  .5..F..x......=.
	0x0060:  1046 0000 7210 e8bf ffff ffff 358b 1046  .F..r.......5..F
	0x0070:  00e8 21a5 0500 c3a1 8b10 4600 6467 8b16  ..!.......F.dg..
	0x0080:  2c00 8b04 82c3 90b8 a810 4600 e84a 2c02  ,.........F..J,.
	0x0090:  00c3 90b8 a810 4600 e84e 2c02 00a1 b810  ......F..N,.....
	0x00a0:  4600 3b05 ac10 4600 740a 85c0 7406 50e8  F.;...F.t...t.P.
	0x00b0:  e7e6 0500 c390 9055 8bec 8b45 108b 5508  .......U...E..U.
	0x00c0:  807d 0c00 7410 c605 9c57 4600 01c6 059d  .}..t....WF.....
	0x00d0:  5746 0001 eb15 8b0d 1456 4600 8811 8815  WF.......VF.....
	0x00e0:  9c57 4600 c605 9d57 4600 00a3 a857 4600  .WF....WF....WF.
	0x00f0:  a3ac 1046 0033 c0a3 b010 4600 33c0 a3b4  ...F.3....F.3...
	0x0100:  1046 00c6 059e 5746 0001 e878 ffff ff80  .F....WF...x....
	0x0110:  3d9c 5746 0000 7538 b87c 1440 00e8 f125  =.WF..u8.|.@...%
	0x0120:  0200 a3b0 1046 00b8 a410 4600 e8e2 2502  .....F....F...%.
	0x0130:  00a3 b410 4600 e878 e605 008b 1518 5646  ....F..x......VF
	0x0140:  0089 028a 4514 3401 8b15 2056 4600 8802  ....E.4....VF...
	0x0150:  5dc3 9053 568b 1d1c 5646 0080 3d9c 5746  ]..SV...VF..=.WF
	0x0160:  0000 7516 833b 0074 118b 1389 d033 d289  ..u..;.t.....3..
	0x0170:  138b f0ff d683 3b00 75ef e814 ffff ff5e  ......;.u......^
	0x0180:  5bc3 9055 8bec 33c0 5568 6d15 4000 64ff  [..U..3.Uhm.@.d.
	0x0190:  3064 8920 ff05 b057 4600 33c0 5a59 5964  0d.....WF.3.ZYYd
	0x01a0:  8910 6874 1540 00c3 e9ea 0a02 00eb f85d  ..ht.@.........]
	0x01b0:  c390 9083 2db0 5746 0001 c355 8bec 83c4  ....-.WF...U....
	0x01c0:  d053 5657 b82c 1146 00e8 d156 0500 66c7  .SVW.,.F...V..f.
	0x01d0:  45e0 0800 8b15 3c56 4600 8b02 e842 1f04  E.....<VF....B..
	0x01e0:  008b 153c 5646 008b 028b 0df4 5346 008b  ...<VF......SF..
	0x01f0:  1564 1246 00e8 411f 0400 a13c 5646 008b  .d.F..A....<VF..
	0x0200:  00e8 b51f 0400 66c7 45e0 0000 e983 0000  ......f.E.......
	0x0210:  008b 153c 5646 008b 028b 55f8 e892 2204  ...<VF....U...".
	0x0220:  00eb 6666 c745 e014 008d 4dd0 516a 006a  ..ff.E....M.Qj.j
	0x0230:  006a 006a 0168 d416 4000 6a00 66c7 45e0  .j.j.h..@.j.f.E.
	0x0240:  2000 bac4 1046 008d 45f4 e8e4 e205 00ff  .....F..E.......
	0x0250:  45ec 8b08 b201 a18c 1441 00e8 2332 0100  E........A..#2..
	0x0260:  5068 7016 4000 e8b9 b105 0083 c424 8b0d  Php.@........$..
	0x0270:  3c56 4600 8b01 8b55 fce8 3522 0400 66c7  <VF....U..5"..f.
	0x0280:  45e0 1c00 e8bc b305 0066 c745 e010 00e8  E........f.E....
	0x0290:  b1b3 0500 33c0 8b55 d064 8915 0000 0000  ....3..U.d......
	0x02a0:  5f5e 5b8b e55d c210 0090 900c 0000 0003  _^[..]..........
	0x02b0:  0030 0000 0000 00b7 0000 0044 0054 0000  .0.........D.T..
	0x02c0:  0000 0000 0000 0000 0000 0003 0000 0003  ................
	0x02d0:  0000 00f4 1740 0003 0058 0053 7973 7574  .....@...X.Sysut
	0x02e0:  696c 733a 3a45 7863 6570 7469 6f6e 0060  ils::Exception.`
	0x02f0:  1840 0000 0000 0003 0000 0000 0000 0000  .@..............
	0x0300:  0000 0060 1740 0004 0000 0000 0000 0055  ...`.@.........U
	0x0310:  8bec 83c4 dc8a 550c 8855 fc84 d27e 0b8b  ......U..U...~..
	0x0320:  4508 e8cc e305 0089 4508 b858 1146 00e8  E.......E..X.F..
	0x0330:  6b55 0500 ff75 106a 00ff 7508 e8aa 0000  kU...u.j..u.....
	0x0340:  0083 c40c ff45 f88b 5510 83c2 048b 4508  .....E..U.....E.
	0x0350:  83c0 04e8 13e2 0500 ff45 f88b 5510 8b4a  .........E..U..J
	0x0360:  088b 4508 8948 088b 4508 8b55 dc64 8915  ..E..H..E..U.d..
	0x0370:  0000 0000 807d 0c00 7405 e881 e305 008b  .....}..t.......
	0x0380:  e55d c304 0000 00a0 000c 0070 1640 0045  .].........p.@.E
	0x0390:  7863 6570 7469 6f6e 2026 0004 0000 0003  xception.&......
	0x03a0:  0030 00ff ffff ff03 0000 0044 0048 0000  .0.........D.H..
	0x03b0:  0000 0000 0000 0000 0000 0001 0000 0001  ................
	0x03c0:  0000 006c f945 0003 004c 0053 7973 7465  ...l.E...L.Syste
	0x03d0:  6d3a 3a41 6e73 6953 7472 696e 6700 0000  m::AnsiString...
	0x03e0:  0000 0000 0000 0000 0000 0055 8bec 83c4  ...........U....
	0x03f0:  dc8a 550c 8855 fc84 d27e 0b8b 4508 e8f0  ..U..U...~..E...
	0x0400:  e205 0089 4508 b860 1146 00e8 8f54 0500  ....E..`.F...T..
	0x0410:  8b45 088b 55dc 6489 1500 0000 0080 7d0c  .E..U.d.......}.
	0x0420:  0074 05e8 d8e2 0500 8be5 5dc3 9090 9055  .t........]....U
	0x0430:  8bec 83c4 d4e8 cee2 0500 8855 d789 45fc  ...........U..E.
	0x0440:  b878 1146 00e8 5554 0500 c745 f402 0000  .x.F..UT...E....
	0x0450:  0080 7dd7 007c 2666 c745 e808 00ff 4df4  ..}..|&f.E....M.
	0x0460:  8b45 fc83 c004 ba02 0000 00e8 37e1 0500  .E..........7...
	0x0470:  ff4d f433 d28b 45fc e8ae 0002 008b 4dd8  .M.3..E.......M.
	0x0480:  6489 0d00 0000 0080 7dd7 007e 088b 45fc  d.......}..~..E.
	0x0490:  e866 e205 008b e55d c390 9004 0000 0003  .f.....]........
	0x04a0:  0030 0000 0000 00b3 0000 0040 0044 0000  .0.........@.D..
	0x04b0:  0000 0000 0000 0000 0000 0001 0000 0001  ................
	0x04c0:  0000 00f0 1842 0003 0048 0053 7973 7465  .....B...H.Syste
	0x04d0:  6d3a 3a54 4f62 6a65 6374 0000 0000 0000  m::TObject......
	0x04e0:  0000 0000 0000 0004 0000 0090 000c 0070  ...............p
	0x04f0:  1640 0045 7863 6570 7469 6f6e 202a 0055  .@.Exception.*.U
	0x0500:  8bec 83c4 d088 55f8 84d2 7e05 e8e2 e105  ......U...~.....
	0x0510:  0089 4dd0 8855 d789 45fc b8a4 1146 00e8  ..M..U..E....F..
	0x0520:  7b53 0500 66c7 45e8 0800 8b4d d033 d28b  {S..f.E....M.3..
	0x0530:  45fc e820 0000 0083 45f4 108b 55d8 6489  E.......E...U.d.
	0x0540:  1500 0000 008b 45fc 807d d700 7405 e8ad  ......E..}..t...
	0x0550:  e105 008b e55d c355 8bec 83c4 d088 55f8  .....].U......U.
	0x0560:  84d2 7e05 e88a e105 0089 4dd0 8855 d789  ..~.......M..U..
	0x0570:  45fc b824 1246 00e8 2353 0500 66c7 45e8  E..$.F..#S..f.E.
	0x0580:  0800 8b4d d033 d28b 45fc e808 a603 0083  ...M.3..E.......
	0x0590:  45f4 0f8b 55d8 6489 1500 0000 008b 45fc  E...U.d.......E.
	0x05a0:  807d d700 7405 e855 e105 008b e55d c304  .}..t..U.....]..
	0x05b0:  0000 0090 000c 0014 1c40 0054 466f 726d  .........@.TForm
	0x05c0:  3120 2a00 9090 9055 8bec 81c4 74fe ffff  1.*....U....t...
	0x05d0:  8995 78fe ffff 8985 7cfe ffff b8e8 1146  ..x.....|......F
	0x05e0:  00e8 b952 0500 66c7 8590                 ...R..f...

Can you attach the pcap by using the ‘upload’ button? I just made a change to the Discourse setup to allow pcap/pcapng to be uploaded.

I can’t upload the pcap, this is the cause: “Sorry, new users can not upload attachments.”

Here I attach the pcap, thanks for the dedication and sorry for the inconvenience.
output.pcap (846.8 KB)

In a simulated run on the pcap (--simulate-ips), the output looks correct:

{"timestamp":"2020-03-24T16:40:21.952238+0000","flow_id":1903685063224532,"pcap_cnt":929,"event_type":"drop","src_ip":"192.168.1.210","src_port":80,"dest_ip":"192.168.1.100","dest_port":49860,"proto":"TCP","drop":{"len":549,"tos":0,"ttl":128,"ipid":26197,"tcpseq":3234872176,"tcpack":3241757370,"tcpwin":260,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2,"rev":2,"signature":"Malicious file detected","category":"","severity":3}}
{"timestamp":"2020-03-24T16:40:21.954680+0000","flow_id":1903685063224532,"pcap_cnt":930,"event_type":"drop","src_ip":"192.168.1.100","src_port":49860,"dest_ip":"192.168.1.210","dest_port":80,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":48052,"tcpseq":3241757370,"tcpack":3234822944,"tcpwin":7005,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2020-03-24T16:40:21.954696+0000","flow_id":1903685063224532,"pcap_cnt":931,"event_type":"drop","src_ip":"192.168.1.100","src_port":49860,"dest_ip":"192.168.1.210","dest_port":80,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":48053,"tcpseq":3241757370,"tcpack":3234824392,"tcpwin":7027,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2020-03-24T16:40:21.954702+0000","flow_id":1903685063224532,"pcap_cnt":932,"event_type":"drop","src_ip":"192.168.1.100","src_port":49860,"dest_ip":"192.168.1.210","dest_port":80,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":48054,"tcpseq":3241757370,"tcpack":3234825840,"tcpwin":7050,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2020-03-24T16:40:21.954708+0000","flow_id":1903685063224532,"pcap_cnt":933,"event_type":"drop","src_ip":"192.168.1.100","src_port":49860,"dest_ip":"192.168.1.210","dest_port":80,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":64,"ipid":48055,"tcpseq":3241757370,"tcpack":3234827288,"tcpwin":7073,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
... (skipping the rest) ...

The first drop record is on packet 929, which is indeed the packet that completes the response body. It and then also all other packets from the flow generate a drop record, indicating that the packets should have been dropped.

Tested against master, master-5.0.x and 5.0.1 all giving the same result.

What this tells me is that the basic detection logic works as expected. Question now is why didn’t it drop in the live case…

I don’t know if it has something to do with that, but when the “Malicious file detected” output is displayed, the file was downloaded a few seconds earlier.

I have tried a larger file and noticed that almost finishing the download, the output “Malicious file detected” is displayed. Shouldn’t traffic on each packet stop until it is finished being scanned by the rules?

Suricata doesn’t buffer the file until it is complete. It inspects it packet by packet, and as long as no drop action happens the packets are forwarded.

For a solution with buffering an entire file I think a proxy server is better suited.

We’re still going to try to reproduce the issue btw. Might take a bit of time.

I just replaced Suricata 5.0.1 with 5.0.2 and it works !!! Although only with small files, otherwise it doesn’t even record the alert (example ok: 76K, example failed: 224K). Is there a way to solve this?

Good to hear there is some progress :slight_smile:

For the failing case, can you attach another pcap recorded at the client?