Suricata not detecting some packets in a pcap

Hi all, I’m playing around with Suricata and have encountered a very strange issue.

I’m trying to analyse a .pcap offline using suricata and rules from ET open by proofpoint (specifically emerging-attack_response.rules). For some reason the signature alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) only triggers on the Ubuntu_Testmynids.org_Capture_Original.pcap (refer to the attached) and detects both traffic from port 80 (http) and port 443 (Https, the traffic from port 443 has been decrypted via a program called sslproxy during the packet capture) like so:

07/15/2023-23:27:59.828858  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->
07/15/2023-23:28:08.823828  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->

However, when I analyse the UDR_Testmynids.org_Capture_Original.pcap (refer to the attached) Suricata only detects the signature coming from port 80 and not port 443 (which has also been decrypted via sslproxy during the packet capture) like so:

07/16/2023-11:32:58.257672 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->

When I open both captures (UDR_Testmynids.org_Capture_Original.pcap and Ubuntu_Testmynids.org_Capture_Original.pcap) in wireshark (via the filter (http || tls)) I can see that the capture UDR_Testmynids.org_Capture_Original.pcap has the packet corresponding to the signature (packet number 75) and should raise an alert for port 443 as well however it doesn’t seem Suricata detected it.

I’m using Suricata 6.0.5 RELEASE on Ubuntu 22.04.2 LTS x86_64

I’ve also attached the full suite of things that I used to look at the offline pcaps including configurations as well as the PCAPS I’m analyzing
To run the script:

  • Extract the Suricata Analyse
  • cd "Suricata Analyse PCAP"
  • chmod +x
  • ./ <pcap path>

Packet (656.2 KB)
Suricata Analyse (37.3 KB)

With Suricata 7.0 I see those results with your pcaps and this signature:

07/15/2023-15:16:52.219542  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->
07/15/2023-15:27:59.828858  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->
07/15/2023-15:28:08.823828  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->

Same result with 6.0.13 and using vanilla suricata.yaml.

Can you post suricata --build-info and also try with a more recent version?

Are these with the results of Ubuntu_Testmynids.org_Capture_Original.pcap ?
If so i did not have an issue detecting the signature with that file but rather with the file UDR_Testmynids.org_Capture_Original.pcap where an entry from> is not detected however if you inspect this packet capture in wireshark (packet 75) suricata should detect this but it doesn’t.

As for build-info:

This is Suricata version 6.0.5 RELEASE
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 11.3.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         yes
  NFQueue support:                         yes
  NFLOG support:                           yes
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  GeoIP2 support:                          yes
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.65.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.65.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       yes
  Profiling locks enabled:                 yes

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /usr/share/ubios-udapi-server/ips/config/suricata/
  Log directory:                           /var/run/ips/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /usr/share/ubios-udapi-server/ips/config
  --localstatedir                          /var/run/ips
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -g -O2 -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include

Hi @Naix !
Suricata 6.0.5 is quite old and may have had some issues that have since been fixed. 7.0.0 is out now. An upgrade is recommended.

1 Like

Thanks @sbhardwaj
The issue has been resolved in suricata 7.0.0 with a little caveat: needed to add this to the config to suricata.yaml:

      enabled: yes 
        dp: 443
      encryption-handling: full # Added this line

I will be preparing to upgrade all our sensors to this version in the upcoming days.

1 Like