[Oisf-users] Only one alert where multiple rules should hit

Victor Julien lists at inliniac.net
Tue Nov 18 12:49:37 UTC 2014 

On 11/18/2014 12:39 AM, Duane Howard wrote:
> After poking around more, I'm actually convinced that this is not 'one
> alert when multiple should hit' and more like, 'duplicate alerts for
> some reason I don't understand'.
> For example, in a pcap that *should* generate 6 alerts each for ET
> sid:2014636 and my custom signature sid:6000300 I end up with 6 for my
> custom signature, and 12 for the ET one. I see this in reverse in some
> other situations (custom one generates twice as many as the ET one, or
> similar).
> 
> I can provide a pcap and discuss in more detail off list if required.
> Here's some output from fast.log, I've highlighted two examples of the
> sessions that are triggering twice, for a session, but it applies to all
> of them:

Feel free to send rules, pcap and yaml off list and I will have a look
as soon as I can.

Cheers,
Victor

> 11/14/2014-19:16:32.504795  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.18.146.177:28902
> <http://172.18.146.177:28902> -> 222.173.114.183:8000
> <http://222.173.114.183:8000>
> 11/14/2014-19:16:32.505110  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.18.64.119:57347
> <http://172.18.64.119:57347> -> 222.173.153.246:8000
> <http://222.173.153.246:8000>
> 11/14/2014-19:16:32.504636  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.26.130.134:12970
> <http://172.26.130.134:12970> -> 222.173.21.225:8000
> <http://222.173.21.225:8000>
> 11/14/2014-19:16:32.504951  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.29.155.57:20046
> <http://172.29.155.57:20046> -> 222.173.107.190:8000
> <http://222.173.107.190:8000>
> 11/14/2014-19:16:32.504473  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.31.5.222:62805
> <http://172.31.5.222:62805> -> 222.173.45.128:8000
> <http://222.173.45.128:8000>
> 11/14/2014-19:16:32.505268  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.27.217.69:12308
> <http://172.27.217.69:12308> -> 222.173.182.193:8000
> <http://222.173.182.193:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.26.130.134:12970
> <http://172.26.130.134:12970> -> 222.173.21.225:8000
> <http://222.173.21.225:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.26.130.134:12970 <http://172.26.130.134:12970> ->
> 222.173.21.225:8000 <http://222.173.21.225:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.18.64.119:57347
> <http://172.18.64.119:57347> -> 222.173.153.246:8000
> <http://222.173.153.246:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.18.64.119:57347 <http://172.18.64.119:57347> -> 222.173.153.246:8000
> <http://222.173.153.246:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.29.155.57:20046
> <http://172.29.155.57:20046> -> 222.173.107.190:8000
> <http://222.173.107.190:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.29.155.57:20046 <http://172.29.155.57:20046> -> 222.173.107.190:8000
> <http://222.173.107.190:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.31.5.222:62805
> <http://172.31.5.222:62805> -> 222.173.45.128:8000
> <http://222.173.45.128:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.31.5.222:62805 <http://172.31.5.222:62805> -> 222.173.45.128:8000
> <http://222.173.45.128:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.18.146.177:28902
> <http://172.18.146.177:28902> -> 222.173.114.183:8000
> <http://222.173.114.183:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.18.146.177:28902 <http://172.18.146.177:28902> ->
> 222.173.114.183:8000 <http://222.173.114.183:8000>
> 
> 11/14/2014-19:16:32.505619  [**] [1:2014636:3] ET TROJAN
> Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 172.27.217.69:12308
> <http://172.27.217.69:12308> -> 222.173.182.193:8000
> <http://222.173.182.193:8000>
> 11/14/2014-19:16:32.505619  [**] [1:6000300:1] MY OTHER RULE NAME [**]
> [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
> 172.27.217.69:12308 <http://172.27.217.69:12308> -> 222.173.182.193:8000
> <http://222.173.182.193:8000>
> 
> ./d
> 
> On Mon, Nov 17, 2014 at 3:09 PM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 11/17/2014 08:26 PM, Duane Howard wrote:
>     > I have a pcap from a sample that I have a few similar rules for, they
>     > effectively look for the same content, in slightly different ways (one
>     > internal, one from VRT). When I run Snort over the pcap this
>     particular
>     > session, I get an alert for each signature in question. When using
>     > Suricata I only get an alert from one of these rules. Does
>     Suricata bail
>     > on rule comparisons after a single alert occurs?
> 
>     No. There must be another reason the other rules don't match. What
>     happens if you run the rules individually?
> 
>     The only thing that could cause us to stop inspecting rules prematurely
>     is when a 'pass' rule matches.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Training now available: http://suricata-ids.org/training/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list