Why it can cause an alert?

Rules
1

CVE-2017-7494.pcap (80.8 KB)

alert tcp any any → any any (msg:“test ack”; flags:A; window:512; threshold:type both,track by_dst,count 90,seconds 1; sid:80000453;)

stream:
midstream: yes
memcap: 64mb
checksum-validation: yes
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 1024 #2560
toclient-chunk-size: 1024
randomize-chunk-size: yes

2

anybody can help? the rule dosen’t check the pcap . windows flag count doesn’t satisfy

3

Hi, it’s quite hard to understand your question.
Seems like you are asking why the rule is triggering.
The very first ACK packet in the pcap (packet number 7) has a TCP window size of 512 so it will trigger the alert.
This seems to be the case for the other ACK packets i looked at as well. That will probably get you over the threshold of 90 packets and trigger the alert.

1 Like
4

" threshold:type both,track by_dst,count 90,seconds 1; " Doesn’t it mean the alert only happens when " flags:A; window:512;" occurs 90 times in 1 second?

5

I think your understanding of the rule keyword is correct, leezp. When I check that pcap you shared and filter in Wireshark for “tcp.flags.ack==1 and tcp.window_size_value>=512”, in one second, there are more than 400 packets matching showing, even after the filter. So maybe the rule is alerting correctly?

6

https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#window

I thought the “window” keyword is a fixed value and not a stage。 like this:
“window:512; ” means the tcp.window_size_value=512 and not tcp.window_size_value>=512

7

I understand that the documentation makes it ambiguous, somewhat. But it seems to me that the interpretation is that the window size will be 512 or more.

I’ve found an example from our Suricata-verify tests that may be of help. In the rules, there’s one that states (suricata-verify/tests/http2-basic at master · OISF/suricata-verify · GitHub):

alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;)

The test.yaml file checks for 2 matches for said rule, meaning that we expect two packets that will trigger that condition. If we inspect the pcap, we don’t see packets with the exact window_size of 34634, but we see two that are bigger than that - 43690 (see screenshot). From that example, my understanding is that the window keyword is used for window sizes that are equal or bigger than the specified value…

Http2WindowSVtest
Http2WindowSVtest1921×1068 294 KB

8

Maybe I can’t agree with your opinion.
I tried another pcap which only has one window attribute value 1024;

image
image1196×189 17.8 KB

alert tcp any any → any any (msg:“scan1”; window:1024; threshold: type limit, track by_dst, count 1, seconds 60; sid:110;)

alert tcp any any → any any (msg:“scan2”; window:1023; threshold: type limit, track by_dst, count 1, seconds 60; sid:111;)

the first rule got an alert , the second got no alert .
nmap -PA -p 8080-8082 ip.pcap (620 Bytes)

9

Yeah, I see your point, and I lack the knowledge, for now, to analyze and understand further…