Currently, I have 2 Suricata rules:
+) alert tcp any any → any any (msg:“DCERPC rule”; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:“|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|”; content:!“|00|”; within:100; distance:97; sid:1; rev:1; )
+) alert tcp any any → any any (msg:“Conflict rule”; flow:to_client,established; file_data; content:“xmlns|3A|”; content:“DAV|3A|”; within:10; content:“|3A|response xmlns|3A|”; fast_pattern; content:“…”; within:200; content:“|3A|href>”; within:200; pcre:“/\x3ahref>[^<]*?\x2e\x2e[\x2f\x5c]/i”; sid:2; rev:1; )
Suricata version 6.0.10, 6.0.14, 7.0.5
Operating system and/or Linux distribution: Debian 9, Debian 11
How you installed Suricata: build from source using commands:
+) bash scripts/bundle.sh
+) bash autogen.sh
+) configure
+) make
Then run Suricata using command:
+) ./src/suricata -c ./suricata.yaml -S ./local.rules -r /home/debian/test.pcap --runmode=single
The problem is: if ./local.rules only include DCERPC rule → Suricata can trigger 1 alert as expect
But when ./local.rules include 2 rules: DCERPC rule and Conflict rule → cannot trigger alert for pcap file above.
One more infomation, if I change direct of Conflict rule from to_server instead of to_client (replay pcap file with DCERPC rule (not change) and Conflict rule (with flow:to_server,established;)) → Suricata can trigger alert as expect.
Let me know if you need additional information. test.pcap (5.9 KB)