Unable to unset the flowbits, though the rule is disabled

Unable to unset the flowbits, we see traffic that was intially dropped due to the rule “2018372”

alert tcp any any → $HOME_NET !$HTTP_PORTS (msg:“ET EXPLOIT Malformed HeartBeat Request”; flow:established,to_server; content:“|18 03|”; depth:2; byte_test:1,<,4,2; content:“|01|”; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,Detecting OpenSSL Heartbleed with Suricata | Inliniac; reference:url,heartbleed.com/; reference:url,OpenSSL ‘heartbleed’ bug live blog – Fox-IT International blog; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, cve CVE_2014_0160, former_category CURRENT_EVENTS, updated_at 2019_08_16;)

which is about malformed heartbeat, due to the nature of the rule it was dropping the internal traffic, we have changed the rule action from drop to alert, but we still continue to the see the flow drops associated to the traffic. While seeing the raw logs we have see the flowbits for the traffic was assigned “ET.MalformedTSLB” and “ET.HB.Request.CI” ( Sample raw logs)

{“timestamp”:“2024-03-05T11:35:19.086974-0500”,“flow_id”:619325550378881,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“10.140.140.31”,“src_port”:50638,“dest_ip”:“10.142.0.7”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.MalformedTLSHB”,“ET.HB.Request.CI”]},“drop”:{“len”:48,“tos”:0,“ttl”:255,“ipid”:37967,“tcpseq”:145710607,“tcpack”:0,“tcpwin”:4140,“syn”:true,“ack”:false,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0,“reason”:“flow drop”}}
{“timestamp”:“2024-03-05T11:35:20.086888-0500”,“flow_id”:619325550378881,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“10.140.140.31”,“src_port”:50638,“dest_ip”:“10.142.0.7”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.MalformedTLSHB”,“ET.HB.Request.CI”]},“drop”:{“len”:48,“tos”:0,“ttl”:255,“ipid”:61144,“tcpseq”:145710607,“tcpack”:0,“tcpwin”:4140,“syn”:true,“ack”:false,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0,“reason”:“flow drop”}}
{“timestamp”:“2024-03-05T11:35:21.086756-0500”,“flow_id”:619325550378881,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“10.140.140.31”,“src_port”:50638,“dest_ip”:“10.142.0.7”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.MalformedTLSHB”,“ET.HB.Request.CI”]},“drop”:{“len”:48,“tos”:0,“ttl”:255,“ipid”:20079,“tcpseq”:145710607,“tcpack”:0,“tcpwin”:4140,“syn”:true,“ack”:false,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0,“reason”:“flow drop”}}
{“timestamp”:“2024-03-05T11:35:22.086997-0500”,“flow_id”:619325550378881,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“10.140.140.31”,“src_port”:50638,“dest_ip”:“10.142.0.7”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.MalformedTLSHB”,“ET.HB.Request.CI”]},“drop”:{“len”:40,“tos”:0,“ttl”:255,“ipid”:42331,“tcpseq”:145710608,“tcpack”:0,“tcpwin”:0,“syn”:false,“ack”:true,“psh”:false,“rst”:true,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0,“reason”:“flow drop”}}
{“timestamp”:“2024-03-05T11:35:18.086942-0500”,“flow_id”:619325550378881,“in_iface”:“bond_switch2”,“event_type”:“drop”,“vlan”:[140],“src_ip”:“10.140.140.31”,“src_port”:50638,“dest_ip”:“10.142.0.7”,“dest_port”:443,“proto”:“TCP”,“metadata”:{“flowbits”:[“ET.MalformedTLSHB”,“ET.HB.Request.CI”]},“drop”:{“len”:48,“tos”:0,“ttl”:255,“ipid”:14260,“tcpseq”:145710607,“tcpack”:0,“tcpwin”:4140,“syn”:true,“ack”:false,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0,“reason”:“flow drop”}}

The entire traffic associated to that flow is dropping, irrespective to the action set on the actual rule. I have even created the rule to unset the flowbit":[“ET.MalformedTLSHB”,"ET.HB.Request.CI ]
Though the rule is pushed i still see the traffic is still having the same flow bits assigned and its not being unset.(New rule added in local.rule file)

alert tcp any any → $HOME_NET !$HTTP_PORTS (msg:“UNSETTING FLOWBITS Malformed TLSHB Request”; flow:established,to_server; flowbits:isset,ET.MalformedTLSHB; flowbits:unset,ET.MalformedTLSHB; flowbits:isset,ET.HB.Request.CI; flowbits:unset,ET.HB.Request.CI; classtype:bad-unknown; sid:100035; rev:3; metadata:created_at 2014_04_08, cve CVE_2014_0160, former_category CURRENT_EVENTS, updated_at 2019_08_16;)

This is impacting production trafffic and is having high degree of impact. Please help, i did try disabling the rules, even that did not help the rules were disabled but the traffic flow is still being drop. I would need a resolution.

Thanks,
Adil.

The rule 2018372, though says alert it was initially set to drop we happen to change the rule action from drop to alert

If the rule is not set to drop anymore, it shouldn’t drop. DO you have more details for the drops that happened after you reverted the rule back to alert?

The rules that mostly focus on setting flowbits, should not be converted to drop rules.