Suricata 6.0.0 not logging the same alert as 4.1.4

jweeks · March 4, 2021, 9:54pm

I have a former installation of Suricata running 4.1.4, and running some test traffic, the following alert is hit several times:

alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Which I believe is dependent on either of these alerts to fire first (to set the flowbits):

alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:7; metadata:created_at 2010_07_30, updated_at 2017_02_01;)

But on Suricata 6.0.0, with the same configuration and rules, this alert isn’t generated, and I’m not really sure what mechanisms I have to debug how/why Sur6 is different in this regard.

The relevant config:

- eve-log:
    enabled: true
    escape-slash: false
    filename: eve_file.json
    xff:
      deployment: reverse
      enabled: false
      header: X-Forwarded-For
      mode: extra-data
    types:
    - alert:
        metadata: false
        packet: true
        payload: true
        payload-printable: true
        tagged-packets: true

How would you recommend I debug this?

If I remove “noalert” from the predecessor alerts, I see that they do fire… but 2001980 only fires on Sur4.

I’m using a mix of generated traffic; I’ll see if I can reduce a capture down to the flow in question in the meantime.

Jeff_Lucovsky · March 5, 2021, 7:15pm

Hi Jeff,

Do you have a pcap that demonstrates the issue?

jweeks · March 8, 2021, 2:21pm

Unfortunately, no.
And the reason is a bit interesting.
I tried to tcpdump all port 22 traffic from the last capture which reproduces the issue, but that smaller set of SSH traffic does not reproduce the issue (the alert is logged as expected).
So something in the interaction with all the other traffic is causing it to not fire, it seems.

Andreas_Herz · March 8, 2021, 2:27pm

Can you share the stats.log?
It could be due to drops for example.

jweeks · March 8, 2021, 3:04pm

There aren’t any capture drops, but I guess there are some tcp*drop counters incremented.
However, I see those counters increment in the suricata4 stats, as well, yet the alert still fires.
In general, Suricata 6 has performed significantly better (less usage per CPU, and a better balanced load across all CPUs) so I didn’t think this was traffic-load-related.

Date: 3/8/2021 -- 14:50:08 (uptime: 0d, 00h 04m 41s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 111449489
decoder.pkts                                  | Total                     | 111449489
decoder.bytes                                 | Total                     | 84948630214
decoder.ipv4                                  | Total                     | 111449489
decoder.ethernet                              | Total                     | 111449489
decoder.tcp                                   | Total                     | 95640139
decoder.udp                                   | Total                     | 15809350
decoder.avg_pkt_size                          | Total                     | 762
decoder.max_pkt_size                          | Total                     | 1514
flow.tcp                                      | Total                     | 1065946
flow.udp                                      | Total                     | 248451
flow.tcp_reuse                                | Total                     | 2884
flow.get_used                                 | Total                     | 549039
flow.get_used_eval                            | Total                     | 2502662
flow.get_used_eval_reject                     | Total                     | 1690725
flow.get_used_eval_busy                       | Total                     | 574
flow.get_used_failed                          | Total                     | 143315
flow.wrk.spare_sync_avg                       | Total                     | 98
flow.wrk.spare_sync                           | Total                     | 8962
flow.wrk.spare_sync_incomplete                | Total                     | 205
flow.wrk.spare_sync_empty                     | Total                     | 2923
flow.wrk.flows_evicted_needs_work             | Total                     | 108934
flow.wrk.flows_evicted_pkt_inject             | Total                     | 214657
flow.wrk.flows_evicted                        | Total                     | 174602
flow.wrk.flows_injected                       | Total                     | 5911
tcp.sessions                                  | Total                     | 335696
tcp.ssn_memcap_drop                           | Total                     | 24298117
tcp.syn                                       | Total                     | 1084687
tcp.synack                                    | Total                     | 1084687
tcp.midstream_pickups                         | Total                     | 171399
tcp.segment_memcap_drop                       | Total                     | 7399520
tcp.stream_depth_reached                      | Total                     | 8246
tcp.reassembly_gap                            | Total                     | 2320982
tcp.overlap                                   | Total                     | 154
tcp.insert_data_normal_fail                   | Total                     | 7380191
app_layer.flow.http                           | Total                     | 2413
app_layer.tx.http                             | Total                     | 5746
app_layer.flow.ftp                            | Total                     | 20
app_layer.tx.ftp                              | Total                     | 183
app_layer.flow.smtp                           | Total                     | 45
app_layer.tx.smtp                             | Total                     | 96
app_layer.flow.tls                            | Total                     | 79
app_layer.flow.ssh                            | Total                     | 614
app_layer.flow.smb                            | Total                     | 76
app_layer.tx.smb                              | Total                     | 680
app_layer.flow.failed_tcp                     | Total                     | 12375
app_layer.flow.dns_udp                        | Total                     | 164142
app_layer.tx.dns_udp                          | Total                     | 378498
app_layer.flow.failed_udp                     | Total                     | 84309
flow.mgr.full_hash_pass                       | Total                     | 536
flow.spare                                    | Total                     | 16100
flow.emerg_mode_entered                       | Total                     | 2
flow.emerg_mode_over                          | Total                     | 2
flow.mgr.rows_maxlen                          | Total                     | 21
flow.mgr.flows_checked                        | Total                     | 13366589
flow.mgr.flows_notimeout                      | Total                     | 13282213
flow.mgr.flows_timeout                        | Total                     | 84376
flow.mgr.flows_evicted                        | Total                     | 324304
flow.mgr.flows_evicted_needs_work             | Total                     | 5911
tcp.memuse                                    | Total                     | 33554264
tcp.reassembly_memuse                         | Total                     | 134217696
http.memuse                                   | Total                     | 2713584
ftp.memuse                                    | Total                     | 849
flow.memuse                                   | Total                     | 99802432

Andreas_Herz · May 26, 2021, 9:41pm

Out of curiosity could you try 5.0.6?

Topic		Replies	Views
Testing ssh related rules Rules rules	1	241	April 4, 2024
SSH alert direction Rules	7	1077	October 10, 2023
Suricata running on a test host detected few alerts while there was no traffic on listening port Help	1	1897	January 7, 2022
SSH rule not working Rules rules , suricata	15	1691	April 5, 2023
Rules for 2 public IPs? Rules	1	1104	July 17, 2020

Suricata 6.0.0 not logging the same alert as 4.1.4

Related topics