Actions
Bug #6197
openstream: additional alerts being seen once sigs are added
Description
If we add a unrelated signature we can cause the `bytemath` tests to trigger more alerts.
For example we get this output:
===> detect-bytemath-01: Sub test #1: FAIL : expected 1 matches; got 2 for filter {'count': 1, 'match': {'event_type': 'alert', 'alert.signature_id': 1}}
If we changed the `test.rules` in this suricata-verify test to include one more rule:
alert ssh any any -> any any (msg:"FOOBAR"; pcre:"/rabbit/"; classtype:unknown; sid:3130009; rev:2;) alert tcp any any -> any any (msg:"Byte-math test"; \ ipv4.hdr; byte_math:bytes 1, offset 1, oper <<, rvalue 2, result result_val; \ tcp.hdr; byte_test: 1, =, 0x88, 1, relative; \ sid:1;)
The ssh one is added and not related, but the addition has the impact to trigger an additional alert:
{ "timestamp": "2020-05-06T11:27:47.118173+0000", "flow_id": 1070501709304770, "pcap_cnt": 1, "event_type": "alert", "src_ip": "192.0.78.190", "src_port": 136, "dest_ip": "192.0.78.25", "dest_port": 80, "proto": "TCP", "pkt_src": "wire/pcap", "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 0, "signature": "Byte-math test", "category": "", "severity": 3 }, "direction": "to_server", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 40, "bytes_toclient": 0, "start": "2020-05-06T11:27:47.118173+0000", "src_ip": "192.0.78.190", "dest_ip": "192.0.78.25", "src_port": 136, "dest_port": 80 } } { "timestamp": "2020-05-06T11:27:47.118173+0000", "flow_id": 1070501709304770, "event_type": "alert", "src_ip": "192.0.78.190", "src_port": 136, "dest_ip": "192.0.78.25", "dest_port": 80, "proto": "TCP", "pkt_src": "stream (flow timeout)", "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 0, "signature": "Byte-math test", "category": "", "severity": 3 }, "direction": "to_server", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 40, "bytes_toclient": 0, "start": "2020-05-06T11:27:47.118173+0000", "src_ip": "192.0.78.190", "dest_ip": "192.0.78.25", "src_port": 136, "dest_port": 80 } }
There is this minor diff:
"pcap_cnt": 1, "pkt_src": "wire/pcap",
vs
"pkt_src": "stream (flow timeout)",
The second alert is a new one, once added with the alert.
A git blame showed that this commit https://github.com/OISF/suricata/commit/1bb6f44ff01363fa29488f1ae83b9368e33c2770 is the change that made this strange happening occur.
Actions