[Oisf-users] Discrepancies in Snort and Suricata alerts

Wed Sep 26 06:44:40 UTC 2018

Hello Fatema,

do you have packet kernel drops while those runs? If you don't mind can
you share your stats.log for the Suricata run?

Cheers,

Konstantin

On 25.09.2018 18:05, fatema bannatwala wrote:
> I tried to capture some traffic, but those pcaps aren't triggering any
> alerts in both snort and suricata, have to work on getting some pcap
> with some traffic that would be malicious and could trigger alerts.
> Meanwhile, was looking into the alerts that were triggered in Snort and
> not in Suricata for last 15 minutes on live servers, and did the
> following analysis:
> 
> Example of few alerts triggered in snort but not in suricata: sid:
> 2022813, 2008974, 2009714
> when I looked at the above alert rules defined in ET ruleset for snort
> and ET ruleset for suricata,
> the only major difference found is in the protocol defined in both
> alerts, i.e. :
> 
> suricata alert 2022813 definition: 
> alert *http* $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE
> SearchProtect PUA User-Agent Observed"; flow:established,to_server;
> content:"SearchProtect|3b|"; 
> depth:14; http_user_agent;
> reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87;
> classtype:trojan-activity; sid:2022813; rev:2; metadata:created_at
> 2016_05_17, updated_at 2016_05_17;)
> 
> snort alert 2022813 definition:
> alert *tcp* $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> SearchProtect PUA User-Agent Observed"; flow:established,to_server;
> content:"User-Agent|3a 20|SearchProtect|3b|"; 
> fast_pattern; http_header;
> reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87;
> classtype:trojan-activity; sid:2022813; rev:1; metadata:created_at
> 2016_05_17, updated_at 2016_05_17;)
> 
> And from snort alert logs, the packet content that triggered that
> 2022813 alert:
> 
> [1:2022813:1] ET MALWARE SearchProtect PUA User-Agent Observed
> 2018-09-25 11:09:39.337000-04:00 128.164.63.89:51872
> <http://128.164.63.89:51872> -> 54.243.209.194:80 <http://54.243.209.194:80>
> TCP: Data Triggering Snort Rule: POST / HTTP/1.1::~~Content-Type:
> application/json::~~Accept: */*::~~User-Agent:
> SearchProtect;3.0.50.0;Microsoft Windows 7
> Enterprise;SPC0AFF85F-9E31-44AC-8E1C-61C39CDE89DC::~~Host:
> sp-alive-msg.databssint.com::~~Content-Length: 2157::~~Connection:
> Keep-Alive::~~Cache-Control: no-cache::~~::~~
> [Xref => md5 34e2350c2ed6a9a9e9d444102ae4dd87]
> 
> Hence, looking at the contents of the above data triggering log, looks
> like it matches the Suricata rule signature as well, except not sure if
> the protocol detected was actually http or not, and hence Suricata alert
> might not have trigged for the same content.
> Other alerts that weren't triggered in Suricata were also having "http"
> in place of "tcp" in the rule signatures, when compared with snort rule
> signatures. Hence my guess is Suricata isn't able to detect http
> protocol for the same traffic and hence not triggering the alerts.
> 
> Thanks,
> Fatema.

-- 
Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)

+49 160 95476260
konstantin.klinger at dcso.de

dcso.de
blog.dcso.de

PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46

DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus 22 •
10829 Berlin, Germany
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382