<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div>Good afternoon,</div>
<div><br>
</div>
<div>I have a strange behavior with a suricata deployment and I am
not able to fix it. </div>
<div><br>
</div>
<div>As written below, any payload is being generated in the unified
file that matches the specific rule but despite of this fact it is
correctly working with other rules:</div>
<div>You can see two examples, the first on with the wrong behavior
and the second one with the right:</div>
<div><br>
</div>
<div><br>
</div>
<div><b>FIRST EXAMPLE (we are not being given the "if:..." in the
rule) </b></div>
<div><br>
</div>
<div>(Event)</div>
<div> sensor id: 0 event id: 453859 event second:
1537902695 event microsecond: 9232</div>
<div> sig id: 42110 gen id: 1 revision: 1
classification: 12</div>
<div> priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX</div>
<div> src port: 60875 dest port: 80 protocol: 6
impact_flag: 0 blocked: 0</div>
<div><br>
</div>
<div>Packet</div>
<div> sensor id: 0 event id: 453859 event second:
1537902695</div>
<div> packet second: 1537902695 packet microsecond:
9232</div>
<div> linktype: 12 packet_length: 40</div>
<div>[ 0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3
E..(....@.../d..</div>
<div>[ 16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF
..yF...P.@J. u..</div>
<div>[ 32] 50 10 0A 00 0E 56 00 00
P....V..</div>
<div><br>
</div>
<div>(Event)</div>
<div> sensor id: 0 event id: 453860 event second:
1537902695 event microsecond: 9232</div>
<div> sig id: 2024107 gen id: 1 revision: 2
classification: 9</div>
<div> priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX</div>
<div> src port: 60875 dest port: 80 protocol: 6
impact_flag: 0 blocked: 0</div>
<div><br>
</div>
<div>Packet</div>
<div> sensor id: 0 event id: 453860 event second:
1537902695</div>
<div>1 packet second: 1537902695 packet microsecond:
9232</div>
<div> linktype: 12 packet_length: 40</div>
<div>[ 0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3
E..(....@.../d..</div>
<div>[ 16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF
..yF...P.@J. u..</div>
<div>[ 32] 50 10 0A 00 0E 56 00 00
P....V..</div>
<div><br>
</div>
<div><br>
</div>
<div><b>SECOND EXAMPLE (the if: generated can be observed in the
rule match)</b></div>
<div><b><br>
</b></div>
<div>(Event)</div>
<div> sensor id: 0 event id: 11162 event second:
1537926001 event microsecond: 822266</div>
<div> sig id: 42110 gen id: 1 revision: 1
classification: 12</div>
<div> priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX</div>
<div> src port: 61075 dest port: 80 protocol: 6
impact_flag: 0 blocked: 0</div>
<div><br>
</div>
<div>Packet</div>
<div> sensor id: 0 event id: 11162 event second:
1537926001</div>
<div> packet second: 1537926001 packet microsecond:
822266</div>
<div> linktype: 1 packet_length: 1514</div>
<div>[ 0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
..............E.</div>
<div>[ 16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80
.........dgLU...</div>
<div>[ 32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00
g....P........P.</div>
<div>[ 48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F ...
..PROPFIND /</div>
<div>[ 64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A
HTTP/1.1..Host:</div>
<div>[ 80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E
localhost..Conn</div>
<div>[ 96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43
ection: Close..C</div>
<div>[ 112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30
ontent-Length: 0</div>
<div>[ 128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F ..<b>If:
</b><<a href="http://lo">http://lo</a></div>
<div>[ 144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6
calhost/aaaaaaa.</div>
<div>[ 160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D
................</div>
<div>[ 176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F
................</div>
<div>[ 192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5
................</div>
<div>[ 208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1
................</div>
<div>[ 224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81
................</div>
<div>.</div>
<div>.</div>
<div>.</div>
<div>.</div>
<div><br>
</div>
<div>(Event)</div>
<div> sensor id: 0 event id: 11163 event second:
1537926001 event microsecond: 822266</div>
<div> sig id: 2024107 gen id: 1 revision: 2
classification: 9</div>
<div> priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX</div>
<div> src port: 61075 dest port: 80 protocol: 6
impact_flag: 0 blocked: 0</div>
<div><br>
</div>
<div>Packet</div>
<div> sensor id: 0 event id: 11163 event second:
1537926001</div>
<div> packet second: 1537926001 packet microsecond:
822266</div>
<div> linktype: 1 packet_length: 1514</div>
<div>[ 0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
..............E.</div>
<div>[ 16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80
.........dgLU...</div>
<div>[ 32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00
g....P........P.</div>
<div>[ 48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F ...
..PROPFIND /</div>
<div>[ 64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A
HTTP/1.1..Host:</div>
<div>[ 80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E
localhost..Conn</div>
<div>[ 96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43
ection: Close..C</div>
<div>[ 112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30
ontent-Length: 0</div>
<div>[ 128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F ..If:
<<a href="http://lo">http://lo</a></div>
<div>[ 144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6
calhost/aaaaaaa.</div>
<div>[ 160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D
................</div>
<div>[ 176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F
................</div>
<div>[ 192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5
................</div>
<div>[ 208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1
................</div>
<div>[ 224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81
................</div>
<div>[ 240] E4 88 B1 E7 80 B5 E5 A1 90 E3 99 A4 E6 B1 87 E3
................</div>
<div>.</div>
<div>.</div>
<div>.</div>
<div><br>
</div>
<div>The rule matches we are being given are the following two
(first of all is one of the right example and the second one is
the incorrectly generated example)</div>
<div><br>
</div>
<div>alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function
buffer overflow attempt"; flow:to_server,established;
content:"PROPFIND"; http_method; content:"If:"; fast_pattern;
http_header; isdataat:500; content:!"|0D 0A|"; within:500;
http_header; metadata:service http; reference:bugtraq,97127;
reference:cve,2017-7269; classtype:attempted-admin; sid:42110;
rev:1;)</div>
<div><br>
</div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Library
Shape Control ActiveX object access"; flow:to_client,established;
file_data; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F";
fast_pattern:only;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si";
metadata:service http; reference:cve,2005-2127; reference:url,<a
href="http://technet.microsoft.com/en-us/security/bulletin/MS05-052">technet.microsoft.com/en-us/security/bulletin/MS05-052</a>;
classtype:attempted-user; sid:4211; rev:15;)</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
</body>
</html>