Suricata pass rule not working

Hi All,

We are currently running suricata 4.1.10 and have loaded 3 rule sets.
ruleset 1 → tls-events.rules
ruleset 2 → app-layer-events.rules
ruleset 3 → customer_exceptions.rules

in the custom exception rules, we have the following rule:
pass tcp $PROXY_SERVERS [1024:] <> any 443 (msg:"pass all traffic from proxy to https endpoints"; sid:9000018;)

in our suricata.yaml we have this address-group:
PROXY_SERVERS: "[10.9.48.0/22, 10.10.48.0/22, 10.11.48.0/22]"

but we are still getting alerts for:
src_ip 52.95.120.61
src_port 443
dest_ip 10.10.48.127
dest_port 43854
proto TCP
metadata
flowints :
Unknown macro: {‘applayer’}
alert
action : allowed
gid : 1
signature_id : 2260001
rev : 1
signature : SURICATA Applayer Wrong direction first Data
category : Generic Protocol Command Decode
severity : 3
app_proto failed
app_proto_ts tls

Is there any way to debug why our pass rule is not being used?

Hi,

first of all I would suggest to update to a supported version 5 or 6. In addition to that, try a dedicated pass rule for each direction, to see if those would work instead of the <> one.

The issue is that suricate 4 is still the latest release on the official centos repos

You can use those repos on CentOS: Guide: Suricata RPMs for CentOS and Fedora

We did a split of the rules and added tls rules:

pass tcp $PROXY_SERVERS [1024:] -> any 443 (msg:"pass all traffic from proxy to https endpoints"; sid:9000027; rev:1;)
pass tcp any 443 -> $PROXY_SERVERS [1024:] (msg:"pass return traffic from https endpoints t proxy"; sid:9000028; rev:1;)
pass tls $PROXY_SERVERS [1024:] -> any 443 (msg:"pass all traffic fro proxy to https endpoints"; sid:9000029; rev:1;)
pass tls any 443 -> $PROXY_SERVERS [1024:] (msg:"pass return traffic from https endpoints to proxy"; sid:9000030; rev:1;)

But still, this alert triggers:
{"timestamp":"2021-04-22T06:20:02.424616+0000","flow_id":704250444397769,"in_iface":"ens5","event_type":"alert","src_ip":"10.10.48.238","src_port":50586,"dest_ip":"176.32.109.195","dest_port":443,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"alert":{"action":"allowed","gid":1,"signature_id":2260001,"rev":1,"signature":"SURICATA Applayer Wrong direction first Data","category":"Generic Protocol Command Decode","severity":3},"app_proto":"failed","app_proto_tc":"tls","flow":{"pkts_toserver":3,"pkts_toclient":4,"bytes_toserver":174,"bytes_toclient":324,"start":"2021-04-22T06:20:02.408777+0000"}}

which is:

alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)

Any more ideas instead of “try to upgrade?”

Can you also post your suricata.yaml?
The action-order is not changed?

We could try to reproduce it.

# This file is managed by Puppet. DO NOT EDIT.

%YAML 1.1
---
vars:
  address-groups:
    HOME_NET: "[10.9.0.0/16, 10.10.0.0/16, 10.11.0.0/16, 10.12.0.0/16, 10.20.0.0/16]"
    PROXY_SERVERS: "[10.9.48.0/22, 10.10.48.0/22, 10.11.48.0/22]"
    AWS_LOCAL: "[169.254.169.254/32]"
    BITBUCKET_SERVERS: "[104.192.136.0/21, 185.166.140.0/22, 18.205.93.0/25, 18.234.32.128/25,
      13.52.5.0/25]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
  port-groups:
    HTTP_PORTS: '80'
    FTP_PORTS: '21'
    BITBUCKET_PORTS: '22'
    SPLUNK_PORTS: '9997'
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: '1521,2484'
    SSH_PORTS: '22'
    DNP3_PORTS: '20000'
    MODBUS_PORTS: '502'
    FILE_DATA_PORTS: "[$HTTP_PORTS,22,110,143]"
    SERVER_PORTS: '21,22,23,80,443,8443,10443,8080,3128,3129'
default-rule-path: "/etc/suricata/rules"
rule-files:
- ocs.rules
- ocs_exceptions.rules
- tls-events.rules
- app-layer-events.rules
- http-events.rules
classification-file: "/etc/suricata/classification.config"
reference-config-file: "/etc/suricata/reference.config"
default-log-dir: "/var/log/suricata/"
max-pending-packets: 1024
default-packet-size: 9001
runmode: autofp
stats:
  enabled: false
  decoder-events-prefix: decoder.event
logging:
  default-log-level: notice
  default-output-filter:
outputs:
- console:
    enabled: false
- file:
    enabled: true
    level: info
    filename: "/var/log/suricata/suricata.log"
- fast:
    enabled: false
    filename: fast.log
    append: true
- eve-log:
    enabled: true
    filetype: regular
    filename: eve.json
    rotate-interval: 2h
    types:
    - alert:
        http: true
        tls: true
        ssh: true
        smtp: true
        dnp3: true
        tagged-packets: true
    - http:
        extended: true
    - dns:
        version: 1
        enabled: true
        query: true
        answer: true
    - tls:
        extended: true
    - files:
        force-magic: false
    - ssh
    - stats:
        totals: true
        threads: false
        deltas: false
        decoder-events-prefix: decoder.event
    - flow
- stats:
    enabled: false
    filename: stats.log
    totals: false
    threads: false
pcap:
- interface: eth0
pcap-file:
  checksum-checks: auto
app-layer:
  protocols:
    tls:
      enabled: true
      detection-ports:
        dp: 443
    dcerpc:
      enabled: detection-only
    ftp:
      enabled: detection-only
    ssh:
      enabled: true
    smtp:
      enabled: detection-only
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: detection-only
    enip:
      enabled: detection-only
    dnp3:
      enabled: detection-only
    dns:
      tcp:
        enabled: true
        detection-ports:
          dp: 53
      udp:
        enabled: true
        detection-ports:
          dp: 53
    http:
      enabled: true
      memcap: 32mb
      libhtp:
        default-config:
          personality: GENERIC
          request-body-limit: 100kb
          response-body-limit: 100kb
          request-body-minimal-inspect-size: 32kb
          request-body-inspect-window: 4kb
          response-body-minimal-inspect-size: 40kb
          response-body-inspect-window: 16kb
          response-body-decompress-layer-limit: 2
          http-body-inline: auto
          double-decode-path: false
          double-decode-query: false
asn1-max-frames: 256
coredump:
  max-dump: unlimited
host-mode: auto
unix-command:
  enabled: true
engine-analysis:
  rules-fast-pattern: true
  rules: true
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
defrag:
  max-frags: 65535
  prealloc: false
  timeout: 60
flow:
  memcap: 33554432
  hash-size: 65536
  prealloc: false
  emergency-recovery: 30
  prune-flows: 5
vlan:
  use-for-tracking: true
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
host:
  hash-size: 4096
  prealloc: 100
  memcap: 32mb
detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  grouping:
  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false
      include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
  set-cpu-affinity: true
  cpu-affinity:
  - management-cpu-set:
      cpu:
      - 0
  - receive-cpu-set:
      cpu:
      - 0
  - worker-cpu-set:
      cpu:
      - all
      mode: balanced
  detect-thread-ratio: 1.5

There are some things you can try to narrow it down:

1. change the pass to alert rules and see if they trigger at all

2. If they do, change those back and add another alert that is not using app-layer-event but that should still trigger. For example the same rule as alert instead of pass with a different sid.

3. Can you provide a pcap that reproduces that issue? that would make it easier to test and match your scenario

Hi,

we changed the rules to alerts and got a lot of them for sid 9000029 and 9000030, so they do work

Could it have something to do with this?

"app_proto":"failed"?

Since the events thats matches our rules have: "app_proto":"tls"

Still the TCP rules should ensure the pass works. Thus I would recommend to proceed with Step 2 and 3 from my last post.

Hi Andreas,

I’m very new to Suricata 6.0.4 with a fresh install on Ubuntu 20.04.
I’m trying to implement my first *pass**rule and I still get anomaly events in eve.json.

pass tcp any any <> 172.17.2.206 80 (msg:"SCCM Client to server traffic"; sid:900001; rev:1; )

{
  "timestamp": "2022-04-21T22:38:58.612379+0200",
  "flow_id": 1990772117390295,
  "pcap_cnt": 2796908,
  "event_type": "anomaly",
  "src_ip": "10.10.120.238",
  "src_port": 63571,
  "dest_ip": "172.17.2.206",
  "dest_port": 80,
  "proto": "TCP",
  "community_id": "1:mOlRIjhQoGnUr1b8BWjV0mHKkhM=",
  "anomaly": {
    "app_proto": "http",
    "type": "applayer",
    "event": "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
    "layer": "proto_detect"
  }
}

As you suggested above, I replaced pass with alert and that works an generates alerts but still generates the anomaly events:

CleanShot 2022-04-21 at 22.54.34@2x1920×1140 252 KB

It looks like the anomaly detection rule generates the first event and then my custom alert rule the second event.

How does the rule processing work?
Shouldn’t the more specific rule (with a specified target IP for example) be the only match?
Sorry for my noob.questions

My Suricata config is pretty vanilla.

Any thoughts?

Many thanks and best regards from Munich, Flo.

Anomaly events are not alerts. They’re generated when something unexpected occurs. The Suricata configuration file suricata.yaml contains a description of what they are and when they’re generated.

Hey Jeff,
thanks for your answer.
Is there a way to prevent them to appear/suppress?

You can disable anomaly events in the Suricata configuration file – looks for the following snippet in your configuration file and set enabled: off

outputs:
  - eve-log:
     .
     .
     types:
       .
       .
       - anomaly:
           enabled: off

Thx Jeff,
but there is no way to suppress only specific anomaly events, right?
Only global…

Best regards, Flo.

There are 3 types of anomaly events: decode, stream, and applayer: 15.1.2. Eve JSON Format — Suricata 7.0.0-dev documentation

These are individually controlled by settings within the types section of the anomaly config settings.