I test the transformation keyword url_decode by writing 2 rules. And I get an alert by only using rule2.
However, if I using rule1 and rule2 together, then no alert occurs.
rule1:
alert http any any -> $HOME_NET any (msg:“detecting (/etc/passwd)”; flow:to_server,established; http.request_body; content:"\\etc\\passwd")
rule2:
alert http any any -> $HOME_NET any (msg:“detecting (/etc/passwd)”; flow:to_server,established; http.request_body; url_decode; content:"\\etc\\passwd")
I debug the detection part of the code and figuring out the workflow of transformation. If a rule file containing rule1 detecting a sticky buffer and rule2 detecting the sticky buffer after transformation, Suricata starts from inepecting the original sticky buffer. After this process, the sticky buffer would be flagged as “already inspected”. So transformation can’t be performed on this sticky buffer since it’s already taken and inspected. Therefore, rule2 can’t trigger any alert.
I wonder, if it’s a BUG of transformation. I can’t find any other useful information through the documentation.
You’re using Suricata versioin 6.0?
We made an update that should help with your situation; could you try with Suricata 6.0.1 (to be released within the next few days) and report back?
Thanks for your reply. I update with Suricata 6.0.1 and I run the following two tests. But it seems like the problem has not been sovled.
- Test 1
I use a rule file containing 2 rules:
alert http any any -> $HOME_NET any (msg:“detect (/etc/passwd)”; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg:“detect (/etc/passwd)”; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
And I get 2 alerts .
- Test 2
I use a rule file containing 2 rules:
alert http any any -> $HOME_NET any (msg:“detect (/etc/passwd)”; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg:“detect (/etc/passwd)”; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
And I get no alert .
The test pcap file is attached here.
http.pcap (2.0 KB)
Hi,
We’ve created an issue to track the problem that you’ve found: https://redmine.openinfosecfoundation.org/issues/4210