[Oisf-users] Inconsistent Alerting

derek_smithg at yahoo.com derek_smithg at yahoo.com
Fri Feb 26 15:48:42 UTC 2016 

Hello Andreas,
Thanks for replying.  
>How do you run suricata? And can you describe what you expected or what you want to achieve?I am running it on a non root user with -c, -r, -l flags to point to my yaml, pcap, and log directory, and pointing output to a file "> suricata_run 2>$1".I am comparing it and snort so I am trying to figure out why suricata would alert a different number of times when digesting the same traffic. 

>Might be worth to test 3.0 :)I have just started using Suricata 3.0! The new output options are great. Sadly I still got the same issue with alert counts. 

>Such big pcaps are rather hard to debug/send. Can you narrow down "strange" behaviour to smaller pcaps that you can also share with us?
I have extracted a smaller pcap with the ip causing the 12037 alert and also get inconsistent counts on 2101633 so it's a good small sample, and I am working on whether I can share it or not. But it may not be necessary. Looking through the yaml more closely I found a setting in the stream section that refers to the inconsistent alerting.
#     randomize-chunk-size: yes     # Take a random value for chunk size around the specified value.#                                                   # This lower the risk of some evasion technics but could lead#                                                   # detection change between runs. It is set to 'yes' by default.
I set this to 'no' and am getting consistent detection on this smaller pcap, without 12037 showing up. I will test it out on the larger ones today. But stemming from the yaml comments above, what evasion techniques are being thwarted by taking random chunks sizes while inspecting the raw stream? 

Thank you for your help,Derek
(Hopefully I replied to this one thread out of the email digest by replacing the subject line with the original. Please correct me if I did not.)




----------------------------------------------------------------------

Message: 1
Date: Mon, 22 Feb 2016 22:20:46 +0100
From: Andreas Herz <andi at geekosphere.org>
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Inconsistent Alerting
Message-ID: <20160222212046.GP4767 at kvmbude>
Content-Type: text/plain; charset=utf-8

Hi,

On 22/02/16 at 16:29, derek_smithg at yahoo.com wrote:
>   I have been running Suricata against several pcaps withdifferent
> yaml configurations and am seeing the total count of alerts changefrom
> one run to another, or even with the same yaml but run at a
> differenttime. Has anyone come across anything similar before?

How do you run suricata?

And can you describe what you expected or what you want to achieve?

>   Suricata-2.0.11

Might be worth to test 3.0 :)

>   I ran them against 3 pcaps of sizes roughly 100GB, 200GB, and400GB,
> and tallied the alert counts, outputting any that were not the same
> acrossthe board. 

Such big pcaps are rather hard to debug/send. Can you narrow down
"strange" behaviour to smaller pcaps that you can also share with us?

>   This may be a different issue, but I have looked into 12037,which is
> very similar to 2101633 but with added replace and byte_test
> keywords,and think it might be a false positive. From carving out the
> ip’s involved withit from the pcap and running Suricata on that alone
> it hits that one alertabout 50% of the time. I ran it once with
> alert-debug output and found thepacket it’s supposedly alerting on and
> cannot find the byte pattern that wouldmatch to it. 

It would also be helpful to narrow this down to a smaller pcap with that
we can also inform the ET guys if it's really a false positive.


-- 
Andreas Herz


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160226/2cf3a065/attachment-0002.html>

More information about the Oisf-users mailing list