Please include the following information with your help request: currently, I have 2 Suricata rules:
+) alert tcp any any → any any (msg:“DCERPC rule”; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:“|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|”; content:!“|00|”; within:100; distance:97; sid:1; rev:1; )
+) alert tcp any any → any any (msg:“Conflict rule”; flow:to_client,established; file_data; content:“xmlns|3A|”; content:“DAV|3A|”; within:10; content:“|3A|response xmlns|3A|”; fast_pattern; content:“…”; within:200; content:“|3A|href>”; within:200; pcre:“/\x3ahref>[^<]*?\x2e\x2e[\x2f\x5c]/i”; sid:2; rev:1; )
- Suricata version 6.0.10, 6.0.14, 7.0.5
- Operating system and/or Linux distribution: Debian 9, Debian 11
- How you installed Suricata (from source, packages, something else): compile from source using commands:
+) bash scripts/bundle.sh
+) bash autogen.sh
+) configure
+) make
Then run Suricata using command:
+) ./src/suricata -c ./suricata.yaml -S ./local.rules -r /home/debian/test.pcap --runmode=single
The problem is: if ./local.rules only include DCERPC rule → Suricata can trigger 1 alert as expect
But when ./local.rules include 2 rules: DCERPC rule and Conflict rule → cannot trigger alert for pcap file above.
One more infomation, if I change direct of Conflict rule from to_server instead of to_client (replay pcap file with DCERPC rule (not change) and Conflict rule (with flow:to_server,established;)) → Suricata can trigger alert as expect.
Let me know if you need additional information.
test.pcap (5.9 KB)
Hi,
I can confirm this issue with 7.0.6, this could be a bug.
Both rules enabled:
alert tcp any any -> any any (msg:"DCERPC rule"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
alert tcp any any -> any any (msg:"Conflict rule"; flow:to_client,established; file_data; content:"xmlns|3A|"; content:"DAV|3A|"; within:10; content:"|3A|response xmlns|3A|"; fast_pattern; content:"..."; within:200; content:"|3A|href>"; within:200; pcre:"/\x3ahref>[^<]*?\x2e\x2e[\x2f\x5c]/i"; sid:2; rev:1; )
With your pcap, no alert.
Only the first one:
alert tcp any any -> any any (msg:"DCERPC rule"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
we have a result:
{"timestamp":"2024-05-16T10:29:18.983891+0200","flow_id":1699315118268283,"pcap_cnt":14,"event_type":"alert","src_ip":"20.20.22.93","src_port":52320,"dest_ip":"20.20.33.59","dest_port":4592,"proto":"TCP","pkt_src":"wire/pcap","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"DCERPC rule","category":"","severity":3},"app_proto":"dcerpc","direction":"to_server","flow":{"pkts_toserver":9,"pkts_toclient":5,"bytes_toserver":5207,"bytes_toclient":410,"start":"2024-05-16T10:29:18.133508+0200","src_ip":"20.20.22.93","dest_ip":"20.20.33.59","src_port":52320,"dest_port":4592}}
We would have to check this potential bug, we’ve seen such an issue before with some other test cases and fixed it.
Actually it’s the same as in Suricata protocol DCERPC cannot trigger alert when adding new rule - #3 by vjulien and the fix from Victor is working, I was able to check the working fix with your example here.
1 Like