The isnotset flag for flowbits is not working

suricata version: Suricata 7.0.5
linux version: Ubuntu 20.04.5 LTS (Focal Fossa)

My rules are below

alert http any any -> $HOME_NET any (msg:"api接口-前置"; flow:established,to_server; content:".json"; http_uri; noalert; flowbits:set,300031_http; sid:1001; gid: 300031;)
alert http any any -> $HOME_NET any (msg:"api接口-前置"; flow:established,to_server; content:".xml"; http_uri; noalert; flowbits:set,300031_http; sid:1002; gid: 300031;)
alert http any any -> $HOME_NET any (msg:"api接口-前置"; flow:established,to_server; content:"HEAD"; http_method; noalert; flowbits:set,300031_http; sid:1003; gid: 300031;)
alert http $HOME_NET any -> any any (msg:"api接口"; flow:established,to_client; flowbits:isnotset,300031_http; pcre:"/Content-Type:(\s)*application\/\S*(xml|json)/iH"; http_content_len; byte_test:0,>,10,0,string,dec;  sid:1004; gid: 300031;)

In the generated eve.json, there is an http log ending in json with gID of 300031 and sid of 1004

{"timestamp":"2025-04-03T18:42:36.810211+0800","flow_id":952653451122407,"in_iface":"zwvir0","event_type":"alert","vlan":[3],"src_ip":"115.159.253.216","src_port":80,"dest_ip":"39.145.32.217","dest_port":60968,"proto":"TCP","pkt_src":"wire/pcap","metadata":{"flowbits":["300031_http"]},"tx_id":0,"alert":{"action":"allowed","gid":300031,"signature_id":1004,"rev":0,"signature":"api接口","category":"","severity":3},"http":{"hostname":"newztmobile-xcxdownload.aa.com.cn","url":"/newzt/web/super.json","http_user_agent":"Mozilla/5.0 (Linux; Android 10; JSC-AL50 Build/HUAWEIJSC-AL50; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/130.0.6723.103 Mobile Safari/537.36 XWEB/1300493 MMWEBSDK/20250201 MMWEBID/4600 MicroMessenger/8.0.57.2820(0x2800393A) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64 MiniProgramEnv/android","xff":"112.252.121.76","http_content_type":"application/json","http_refer":"https://servicewechat.com/wxfd8da8f8efcda4a7/77/page-frame.html","http_method":"HEAD","protocol":"HTTP/1.1","status":200,"length":0},"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":1239,"bytes_toclient":534,"start":"2025-04-03T18:42:35.287342+0800","src_ip":"39.145.22.217","dest_ip":"115.159.22.216","src_port":60968,"dest_port":80},"payload":"SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG5naW54LzEuMTAuMA0KRGF0ZTogVGh1LCAwMyBBcHIgMjAyNSAxMDo0MjozNSBHTVQNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbg0KQ29udGVudC1MZW5ndGg6IDE0NjINCkxhc3QtTW9kaWZpZWQ6IFdlZCwgMTIgTWFyIDIwMjUgMTA6MTk6NTggR01UDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpFVGFnOiAiNjdkMTVmY2UtNWI2Ig0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0K","stream":1,"capture_file":"/nsm_data//pcap.log.1743676950"}

image892×647 27.5 KB

What is the cause of this, I need help and look forward to reply, thanks

Hi,

Do I understand correctly that you want to know why is the rule with signature_id 1004 generating an alert?

If tht is the case, this probably means that the other rules that set the flowbits 300031_http are not being triggered, and therefore signature 1004, which should only alert if that flowbit is not set, alerts.

If that’s not what you’re trying to understand, could you please elaborate a bit more your question?

Your understanding is correct. Setting the alarm for 300031_http should no longer trigger the alarm for signature 1004. In the above picture, in the Eve log, the flowbits value appears in the metadata as 300031_http, so signature 1004 should not alarm. Is this a bug or am I using it incorrectly?

Indeed. To better debug this, I would recommend confirming that the other signatures are not being triggered. As all other rules that set this flowbit have the noalert keyword, I suggest you edit one or create a very similar rule but that alerts, to verify if the flowbit is being set or not. If it isn’t, the behavior looks correct to me.