Suricata pass rule not working

Hi All,

We are currently running suricata 4.1.10 and have loaded 3 rule sets.
ruleset 1 → tls-events.rules
ruleset 2 → app-layer-events.rules
ruleset 3 → customer_exceptions.rules

in the custom exception rules, we have the following rule:
pass tcp $PROXY_SERVERS [1024:] <> any 443 (msg:"pass all traffic from proxy to https endpoints"; sid:9000018;)

in our suricata.yaml we have this address-group:
PROXY_SERVERS: "[10.9.48.0/22, 10.10.48.0/22, 10.11.48.0/22]"

but we are still getting alerts for:
src_ip 52.95.120.61
src_port 443
dest_ip 10.10.48.127
dest_port 43854
proto TCP
metadata
flowints :
Unknown macro: {‘applayer’}
alert
action : allowed
gid : 1
signature_id : 2260001
rev : 1
signature : SURICATA Applayer Wrong direction first Data
category : Generic Protocol Command Decode
severity : 3
app_proto failed
app_proto_ts tls

Is there any way to debug why our pass rule is not being used?

Hi,

first of all I would suggest to update to a supported version 5 or 6. In addition to that, try a dedicated pass rule for each direction, to see if those would work instead of the <> one.

The issue is that suricate 4 is still the latest release on the official centos repos

You can use those repos on CentOS: Guide: Suricata RPMs for CentOS and Fedora

We did a split of the rules and added tls rules:

pass tcp $PROXY_SERVERS [1024:] -> any 443 (msg:"pass all traffic from proxy to https endpoints"; sid:9000027; rev:1;)
pass tcp any 443 -> $PROXY_SERVERS [1024:] (msg:"pass return traffic from https endpoints t proxy"; sid:9000028; rev:1;)
pass tls $PROXY_SERVERS [1024:] -> any 443 (msg:"pass all traffic fro proxy to https endpoints"; sid:9000029; rev:1;)
pass tls any 443 -> $PROXY_SERVERS [1024:] (msg:"pass return traffic from https endpoints to proxy"; sid:9000030; rev:1;)

But still, this alert triggers:
{"timestamp":"2021-04-22T06:20:02.424616+0000","flow_id":704250444397769,"in_iface":"ens5","event_type":"alert","src_ip":"10.10.48.238","src_port":50586,"dest_ip":"176.32.109.195","dest_port":443,"proto":"TCP","metadata":{"flowints":{"applayer.anomaly.count":1}},"alert":{"action":"allowed","gid":1,"signature_id":2260001,"rev":1,"signature":"SURICATA Applayer Wrong direction first Data","category":"Generic Protocol Command Decode","severity":3},"app_proto":"failed","app_proto_tc":"tls","flow":{"pkts_toserver":3,"pkts_toclient":4,"bytes_toserver":174,"bytes_toclient":324,"start":"2021-04-22T06:20:02.408777+0000"}}

which is:

alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)

Any more ideas instead of “try to upgrade?”

Can you also post your suricata.yaml?
The action-order is not changed?

We could try to reproduce it.

# This file is managed by Puppet. DO NOT EDIT.

%YAML 1.1
---
vars:
  address-groups:
    HOME_NET: "[10.9.0.0/16, 10.10.0.0/16, 10.11.0.0/16, 10.12.0.0/16, 10.20.0.0/16]"
    PROXY_SERVERS: "[10.9.48.0/22, 10.10.48.0/22, 10.11.48.0/22]"
    AWS_LOCAL: "[169.254.169.254/32]"
    BITBUCKET_SERVERS: "[104.192.136.0/21, 185.166.140.0/22, 18.205.93.0/25, 18.234.32.128/25,
      13.52.5.0/25]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
  port-groups:
    HTTP_PORTS: '80'
    FTP_PORTS: '21'
    BITBUCKET_PORTS: '22'
    SPLUNK_PORTS: '9997'
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: '1521,2484'
    SSH_PORTS: '22'
    DNP3_PORTS: '20000'
    MODBUS_PORTS: '502'
    FILE_DATA_PORTS: "[$HTTP_PORTS,22,110,143]"
    SERVER_PORTS: '21,22,23,80,443,8443,10443,8080,3128,3129'
default-rule-path: "/etc/suricata/rules"
rule-files:
- ocs.rules
- ocs_exceptions.rules
- tls-events.rules
- app-layer-events.rules
- http-events.rules
classification-file: "/etc/suricata/classification.config"
reference-config-file: "/etc/suricata/reference.config"
default-log-dir: "/var/log/suricata/"
max-pending-packets: 1024
default-packet-size: 9001
runmode: autofp
stats:
  enabled: false
  decoder-events-prefix: decoder.event
logging:
  default-log-level: notice
  default-output-filter:
outputs:
- console:
    enabled: false
- file:
    enabled: true
    level: info
    filename: "/var/log/suricata/suricata.log"
- fast:
    enabled: false
    filename: fast.log
    append: true
- eve-log:
    enabled: true
    filetype: regular
    filename: eve.json
    rotate-interval: 2h
    types:
    - alert:
        http: true
        tls: true
        ssh: true
        smtp: true
        dnp3: true
        tagged-packets: true
    - http:
        extended: true
    - dns:
        version: 1
        enabled: true
        query: true
        answer: true
    - tls:
        extended: true
    - files:
        force-magic: false
    - ssh
    - stats:
        totals: true
        threads: false
        deltas: false
        decoder-events-prefix: decoder.event
    - flow
- stats:
    enabled: false
    filename: stats.log
    totals: false
    threads: false
pcap:
- interface: eth0
pcap-file:
  checksum-checks: auto
app-layer:
  protocols:
    tls:
      enabled: true
      detection-ports:
        dp: 443
    dcerpc:
      enabled: detection-only
    ftp:
      enabled: detection-only
    ssh:
      enabled: true
    smtp:
      enabled: detection-only
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: detection-only
    enip:
      enabled: detection-only
    dnp3:
      enabled: detection-only
    dns:
      tcp:
        enabled: true
        detection-ports:
          dp: 53
      udp:
        enabled: true
        detection-ports:
          dp: 53
    http:
      enabled: true
      memcap: 32mb
      libhtp:
        default-config:
          personality: GENERIC
          request-body-limit: 100kb
          response-body-limit: 100kb
          request-body-minimal-inspect-size: 32kb
          request-body-inspect-window: 4kb
          response-body-minimal-inspect-size: 40kb
          response-body-inspect-window: 16kb
          response-body-decompress-layer-limit: 2
          http-body-inline: auto
          double-decode-path: false
          double-decode-query: false
asn1-max-frames: 256
coredump:
  max-dump: unlimited
host-mode: auto
unix-command:
  enabled: true
engine-analysis:
  rules-fast-pattern: true
  rules: true
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
defrag:
  max-frags: 65535
  prealloc: false
  timeout: 60
flow:
  memcap: 33554432
  hash-size: 65536
  prealloc: false
  emergency-recovery: 30
  prune-flows: 5
vlan:
  use-for-tracking: true
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
host:
  hash-size: 4096
  prealloc: 100
  memcap: 32mb
detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  grouping:
  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false
      include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
  set-cpu-affinity: true
  cpu-affinity:
  - management-cpu-set:
      cpu:
      - 0
  - receive-cpu-set:
      cpu:
      - 0
  - worker-cpu-set:
      cpu:
      - all
      mode: balanced
  detect-thread-ratio: 1.5

There are some things you can try to narrow it down:

  1. change the pass to alert rules and see if they trigger at all

  2. If they do, change those back and add another alert that is not using app-layer-event but that should still trigger. For example the same rule as alert instead of pass with a different sid.

  3. Can you provide a pcap that reproduces that issue? that would make it easier to test and match your scenario

Hi,

we changed the rules to alerts and got a lot of them for sid 9000029 and 9000030, so they do work

Could it have something to do with this?

"app_proto":"failed"?

Since the events thats matches our rules have: "app_proto":"tls"

Still the TCP rules should ensure the pass works. Thus I would recommend to proceed with Step 2 and 3 from my last post.