<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div class="" id="yui_3_16_0_1_1456158282000_3487">Hello everyone,<o:p id="yui_3_16_0_1_1456158282000_3489" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3491"><o:p id="yui_3_16_0_1_1456158282000_3493" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3495">I am new to the mailing list. Sorry for the long email, I
just wanted to include enough information in case anyone has come across a
similar problem. <o:p id="yui_3_16_0_1_1456158282000_3497" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3499"><o:p id="yui_3_16_0_1_1456158282000_3501" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3503">I have been running Suricata against several pcaps with
different yaml configurations and am seeing the total count of alerts change
from one run to another, or even with the same yaml but run at a different
time. Has anyone come across anything similar before?<o:p id="yui_3_16_0_1_1456158282000_3505" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3507">Below are details on the rules whose counts change and the
yaml files I am using. <o:p id="yui_3_16_0_1_1456158282000_3509" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3511"><o:p id="yui_3_16_0_1_1456158282000_3513" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3515">Suricata-2.0.11<o:p id="yui_3_16_0_1_1456158282000_3517" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3519">CentOS 7.1.1503<o:p id="yui_3_16_0_1_1456158282000_3521" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3523"><o:p id="yui_3_16_0_1_1456158282000_3525" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3527">Yaml Files:<o:p id="yui_3_16_0_1_1456158282000_3529" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3531"> - yaml1: very out of
the box yaml, except moved address-groups and other locally defined variables
to an include file. <o:p id="yui_3_16_0_1_1456158282000_3533" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3535"> - yaml2: changed max-pending-packets from 1024 to
645000, and detect-engine.profile from medium to high.<o:p id="yui_3_16_0_1_1456158282000_3537" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3539"> - threading1 and threading2:
turned on cpu-affinity but set them to use [ ‘all’ ] cpu’s, with detect-ratio
set to .5 and 1 respectively. <o:p id="yui_3_16_0_1_1456158282000_3541" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3543">(all are only outputting eve.json)<o:p id="yui_3_16_0_1_1456158282000_3545" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3547"><o:p id="yui_3_16_0_1_1456158282000_3549" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3551">I ran them against 3 pcaps of sizes roughly 100GB, 200GB, and
400GB, and tallied the alert counts, outputting any that were not the same across
the board. <o:p id="yui_3_16_0_1_1456158282000_3553" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3555"><o:p id="yui_3_16_0_1_1456158282000_3557" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3559">100 GB pcap<o:p id="yui_3_16_0_1_1456158282000_3561" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3563"> sid yaml1 yaml2 th1 th2<o:p id="yui_3_16_0_1_1456158282000_3565" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3567">2001805 : 139 137 137 137<o:p id="yui_3_16_0_1_1456158282000_3569" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3571">12037 : 1 - - -<o:p id="yui_3_16_0_1_1456158282000_3573" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3575">2101633 : 132
129 129 129<o:p id="yui_3_16_0_1_1456158282000_3577" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3579"><o:p id="yui_3_16_0_1_1456158282000_3581" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3583">200 GB pcap<o:p id="yui_3_16_0_1_1456158282000_3585" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3587">2009375 : 91134 91127 91119 91122<o:p id="yui_3_16_0_1_1456158282000_3589" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3591">2010935 : 657
657 662 657<o:p id="yui_3_16_0_1_1456158282000_3593" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3595"><o:p id="yui_3_16_0_1_1456158282000_3597" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3599">400 GB pcap<o:p id="yui_3_16_0_1_1456158282000_3601" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3603">2001805 : 96 96 96 99<o:p id="yui_3_16_0_1_1456158282000_3605" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3607">2010935 : 818
818 880 818<o:p id="yui_3_16_0_1_1456158282000_3609" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3611">2010937 : 160
160 192 160<o:p id="yui_3_16_0_1_1456158282000_3613" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3615">2101633 : 138
136 138 137<o:p id="yui_3_16_0_1_1456158282000_3617" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3619"><o:p id="yui_3_16_0_1_1456158282000_3621" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3623">They are mostly the same rules in common misbehaving. They
are listed below.<o:p id="yui_3_16_0_1_1456158282000_3625" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3627"><o:p id="yui_3_16_0_1_1456158282000_3629" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3631">emerging-chat.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET
any (msg:"ET CHAT ICQ Message"; flow: established;
content:"|2A02|"; depth: 2; content:"|000400060000|";
offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805;
classtype:policy-violation; sid:2001805; rev:5;)<o:p id="yui_3_16_0_1_1456158282000_3633" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3635"><o:p id="yui_3_16_0_1_1456158282000_3637" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3639">content-replace.rules:alert tcp $EXTERNAL_NET any ->
$HOME_NET any (msg:"CONTENT-REPLACE AIM deny in-bound file transfer
attempts"; flow:to_client,established; content:"*|02|"; depth:2;
content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F
11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5;
replace:"XXXX"; byte_test:2,=,0,-24,relative;
classtype:policy-violation; sid:12037; rev:3;)<o:p id="yui_3_16_0_1_1456158282000_3641" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3643"><o:p id="yui_3_16_0_1_1456158282000_3645" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3647">emerging-chat.rules:alert tcp $AIM_SERVERS any ->
$HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client;
content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4;
offset:6; classtype:policy-violation; sid:2101633; rev:7;)<o:p id="yui_3_16_0_1_1456158282000_3649" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3651"><o:p id="yui_3_16_0_1_1456158282000_3653" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3655">emerging-chat.rules:alert tcp $HOME_NET any <>
$EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow:
established; content:"Content-Type|3A|"; http_header;
content:"application/x-msn-messenger"; http_header;
reference:url,www.hypothetic.org/docs/msn/general/http_examples.php;
reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation;
sid:2009375; rev:3;)<o:p id="yui_3_16_0_1_1456158282000_3657" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3659"><o:p id="yui_3_16_0_1_1456158282000_3661" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3663">emerging-policy.rules:alert tcp $EXTERNAL_NET any ->
$HOME_NET 1433 (msg:"ET POLICY Suspicious inbound to MSSQL port 1433";
flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track
by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown;
sid:2010935; rev:2;)<o:p id="yui_3_16_0_1_1456158282000_3665" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3667"><o:p id="yui_3_16_0_1_1456158282000_3669" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3671">emerging-policy.rules:alert tcp $EXTERNAL_NET any ->
$HOME_NET 3306 (msg:"ET POLICY Suspicious inbound to mySQL port
3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds
60, track by_src; reference:url,doc.emergingthreats.net/2010937;
classtype:bad-unknown; sid:2010937; rev:2;)<o:p id="yui_3_16_0_1_1456158282000_3673" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3675"><o:p id="yui_3_16_0_1_1456158282000_3677" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3679"><o:p id="yui_3_16_0_1_1456158282000_3681" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3683">This may be a different issue, but I have looked into 12037,
which is very similar to 2101633 but with added replace and byte_test keywords,
and think it might be a false positive. From carving out the ip’s involved with
it from the pcap and running Suricata on that alone it hits that one alert
about 50% of the time. I ran it once with alert-debug output and found the
packet it’s supposedly alerting on and cannot find the byte pattern that would
match to it. <o:p id="yui_3_16_0_1_1456158282000_3685" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3687"><o:p id="yui_3_16_0_1_1456158282000_3689" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3691">Debug output regarding sid 12037:<o:p id="yui_3_16_0_1_1456158282000_3693" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3695">STREAM DATA:<o:p id="yui_3_16_0_1_1456158282000_3697" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3699">. . .<o:p id="yui_3_16_0_1_1456158282000_3701" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3703">0030 02 00 01 00 05 00 04 47 BB 2B AC 00 0D 00 50 09 .......G .+....P.<o:p id="yui_3_16_0_1_1456158282000_3705" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3707"> 0040 46 13 43 4C 7F 11 D1 82 22 44 45 53 54 00 00 09 F.CL.... "DEST...<o:p id="yui_3_16_0_1_1456158282000_3709" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3711">. . . <o:p id="yui_3_16_0_1_1456158282000_3713" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3715">0160 06 00 04 10 02 00 01 00 0D 00 50 09 46 13 43 4C ........ ..P.F.CL<o:p id="yui_3_16_0_1_1456158282000_3717" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3719"> 0170 7F 11
D1 82 22 44 45 53 54 00 00 09 46 13 45
4C ...."DES T...F.EL<o:p id="yui_3_16_0_1_1456158282000_3721" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3723"><o:p id="yui_3_16_0_1_1456158282000_3725" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3727">It is my understanding that byte_test is looking for 00 00,
24 bytes before 53 54 (because of content match “DEST” and “relative” keyword),
but there is 00 04 in both. <o:p id="yui_3_16_0_1_1456158282000_3729" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3731"><o:p id="yui_3_16_0_1_1456158282000_3733" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3735">Please let me know if you have any insight as to what is
going on. I would greatly appreciate it.<o:p id="yui_3_16_0_1_1456158282000_3737" class=""></o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3739"><o:p id="yui_3_16_0_1_1456158282000_3741" class=""> </o:p></div><div class="" id="yui_3_16_0_1_1456158282000_3743">Thank you,<o:p id="yui_3_16_0_1_1456158282000_3745" class=""></o:p></div><div id="yui_3_16_0_1_1456158282000_2717">
</div><div class="" dir="ltr" id="yui_3_16_0_1_1456158282000_3747">Derek<o:p id="yui_3_16_0_1_1456158282000_3749" class=""></o:p></div></div></body></html>