Project

General

Profile

Actions
Copy link

Bug #3684

closed

Specific rule is not firing against pcap if other rule is enabled

Added by Konstantin Klinger over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
4.1.6, 5.0.2, 5.0.3
Effort:
Difficulty:
Label:

Description

Hi all,

I've observed a pretty weird behaviour while investigating a rule miss against a pcap where this rule should normally hit.

If you run etpro-all.rules against the pcap you will have several alerts, but not on the rule with the sid 2841978 (ETPRO MALWARE Lemon_Duck Powershell Requesting Payload M2).

If you run a rule file that contains only this one rule with sid 2841978 it will fire as expected.

So I divided the problem down to rule 2009247 that is interfering with sid 2841978. If you run a rule file with both rules against the pcap 2841978 will not fire. If you run a rule file with only 2841978 in it, 2841978 will fire.

I've tested this behavior with Suricata 4.1.6, 5.0.2 and the newest 5.0.3.

In the attached zip archive you will find the yaml configurations and the logs for both runs. I couldn't compress the pcap to be smaller than 20MB. Please ping me when you're starting looking into this. I will share it with you via a file share system then.

Thanks,
Konstantin

Files

Download all files
redmine_share.zip (372 KB) redmine_share.zip Konstantin Klinger, 04/30/2020 07:25 AM
Screenshot 2020-04-30 at 17.05.56.png (110 KB) Screenshot 2020-04-30 at 17.05.56.png checksum Konstantin Klinger, 04/30/2020 03:06 PM
Actions
Copy link

Also available in: Atom PDF