Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suricata rules with "flowbits:noalert" are blocked (false positive) #3386

Closed
xiic opened this issue Apr 5, 2019 · 6 comments
Closed

Suricata rules with "flowbits:noalert" are blocked (false positive) #3386

xiic opened this issue Apr 5, 2019 · 6 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
19.7

Comments

@xiic
Copy link

xiic commented Apr 5, 2019

I've enabled the Suricata rule "emerging-trojan" and enabled "Change all alerts to drop actions".

This triggers a lot of false positives. It looks like I'm not the only one with this problem (https://forum.opnsense.org/index.php?topic=10198).
The offending rule is for example ID 2022317:
https://doc.emergingthreats.net/bin/view/Main/2022317

The rule specifies "flowbits:noalert". If I understand the folks at PT Research/EmergingThreats correctly, a rule with flowbits:nolert should not trigger an alert and should not be blocked (ptresearch/AttackDetection#7).

The Suricata docs suggest the same:
https://suricata.readthedocs.io/en/suricata-4.1.2/rules/flow-keywords.html

flowbits: noalert
No alert will be generated by this rule.

Expected behavior
No alert or block should be triggered if flowbits:noalert is set.

Environment
OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
Suricata version 4.1.3 RELEASE
@AdSchellevis
Copy link
Member

Just to be very sure, when changing this rule to alert you're not receiving events?
The rule in question is:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot download config - SET"; flow:established,to_server; content:"GET"; http_method; content:".dat"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer"; http_header; pcre:"/\.dat$/U"; flowbits:set,ET.zbot.dat; flowbits:noalert; classtype:trojan-activity; sid:2022317; rev:2; metadata:created_at 2015_12_30, updated_at 2015_12_30;)

If it only happens on drops, we could probably just filter those out and leave them default.

@AdSchellevis AdSchellevis self-assigned this Apr 5, 2019
AdSchellevis added a commit that referenced this issue Apr 5, 2019
@AdSchellevis
IDS, skip flowbits:noalert rules in "filter_frop", for #3386
6de0048
@AdSchellevis
Copy link
Member

6de0048 should leave the noalert flowbits as is, to test:

opnsense-patch 6de0048
rm /usr/local/etc/suricata/rules/emerging-trojan.rules

And download again.

@xiic
Copy link
Author

xiic commented Apr 5, 2019

Looks good, with the patch everything works as expected. Thank you for the fast fix and the great support!

@fichtner fichtner added the bug Production bug label Apr 5, 2019
@fichtner fichtner added this to the 19.7 milestone Apr 5, 2019
fichtner pushed a commit that referenced this issue Apr 5, 2019
@AdSchellevis @fichtner
IDS, skip flowbits:noalert rules in "filter_frop", for #3386
85727db 
(cherry picked from commit 6de0048)
@AdSchellevis
Copy link
Member

@xiic thanks for confirming

@Julien-nl
Copy link

When we chose change action from alert to drop, would i see the alert on the Alert page ?
after the update i am not seeing the Alerts at all.

@xiic
Copy link
Author

xiic commented Apr 24, 2019

This patch only applies to rules containing flowbits:noalert; - those rules should neither be blocked nor trigger an alert. Before this patch there were a lot of false positive alerts.

Real dropped actions still trigger an alert on my system.

EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@AdSchellevis @EugenMayer
IDS, skip flowbits:noalert rules in "filter_frop", for opnsense#3386
f42e044
EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@AdSchellevis @EugenMayer
IDS, skip flowbits:noalert rules in "filter_frop", for opnsense#3386
207b50a
@thebitjockey thebitjockey mentioned this issue Feb 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
19.7
Development

No branches or pull requests
4 participants
@xiic @fichtner @AdSchellevis @Julien-nl