Hi all, I’m playing around with Suricata and have encountered a very strange issue.
I’m trying to analyse a .pcap offline using suricata and rules from ET open by proofpoint (specifically emerging-attack_response.rules). For some reason the signature alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) only triggers on the Ubuntu_Testmynids.org_Capture_Original.pcap (refer to the attached) and detects both traffic from port 80 (http) and port 443 (Https, the traffic from port 443 has been decrypted via a program called sslproxy during the packet capture) like so:
07/15/2023-23:27:59.828858 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.67.93.89:80 -> 192.168.1.15:49915
07/15/2023-23:28:08.823828 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.67.93.89:443 -> 172.27.240.2:49916
However, when I analyse the UDR_Testmynids.org_Capture_Original.pcap (refer to the attached) Suricata only detects the signature coming from port 80 and not port 443 (which has also been decrypted via sslproxy during the packet capture) like so:
07/16/2023-11:32:58.257672 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.67.93.71:80 -> 192.168.40.39:50166
When I open both captures (UDR_Testmynids.org_Capture_Original.pcap and Ubuntu_Testmynids.org_Capture_Original.pcap) in wireshark (via the filter (http || tls)) I can see that the capture UDR_Testmynids.org_Capture_Original.pcap has the packet corresponding to the signature (packet number 75) and should raise an alert for port 443 as well however it doesn’t seem Suricata detected it.
I’m using Suricata 6.0.5 RELEASE on Ubuntu 22.04.2 LTS x86_64
I’ve also attached the full suite of things that I used to look at the offline pcaps including configurations as well as the PCAPS I’m analyzing
To run the script:
Are these with the results of Ubuntu_Testmynids.org_Capture_Original.pcap ?
If so i did not have an issue detecting the signature with that file but rather with the file UDR_Testmynids.org_Capture_Original.pcap where an entry from 18.67.93.89:443-> 192.168.40.161:49808 is not detected however if you inspect this packet capture in wireshark (packet 75) suricata should detect this but it doesn’t.
As for build-info:
This is Suricata version 6.0.5 RELEASE
Features: NFQ PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON PROFILING PROFILE_LOCKING TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 11.3.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: yes
NFQueue support: yes
NFLOG support: yes
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.65.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.65.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: yes
Profiling locks enabled: yes
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /usr/share/ubios-udapi-server/ips/config/suricata/
Log directory: /var/run/ips/log/suricata/
--prefix /usr
--sysconfdir /usr/share/ubios-udapi-server/ips/config
--localstatedir /var/run/ips
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS