Project

General

Profile

Actions

Bug #5437

closed

'unseen' http midstream packets with TCP FIN flag set

Added by Juliana Fajardini Reichow over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This was raised by a discussion on our Discord server.

Two users reached out because Suri seemed to be randomly omitting payloads from some of the alerts.

Apparently, this is happening because some HTTP midstream packets are not seen by Suri, even if we have stream.midstream=true.
Wireshark is able to properly tag such traffic as HTTP.

This also leads to Suri not logging associated payload to some alert events in the eve-log, as it doesn't recognize the stream as HTTP.

The rule used by them to generate the alerts was:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
 known malicious user-agent string - Mirai"; flow:to_server,established;
 content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header;
 metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
 policy security-ips drop, service HTTP;
reference:url,www.virustotal.com/en/file/
3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/;
 classtype:trojan-activity; sid:58992; rev:1;)


Files

anonymized-NoPayload.pcap (768 Bytes) anonymized-NoPayload.pcap Juliana Fajardini Reichow, 07/06/2022 01:27 PM
anonymized-Payload.pcap (8.33 KB) anonymized-Payload.pcap Juliana Fajardini Reichow, 07/06/2022 01:27 PM
Actions

Also available in: Atom PDF