Bug: parse multiple metadata tags
sevdog opened this issue · comments
Starting from 08 August 2017 ET is adding new metadata to its rules, (as stated herre).
This is a big help for developers and analists, but there are some problem with the rule parser: if there are more than 1 metadata tag in the raw rule only the last will be kept by the parser. This because the code does not assume that anyone would use more than 1 metadata tag in each rule (code here).
However some rule now has 2 metadata tags, ie:
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvvu3fqglfceuzfu"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)
This rule has these metadata:
metadata: former_category TROJAN;
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;
As stated in SNORT rule manual and in Suricata sources, metadata are ignored by IDS/IPS engine. Also examples states that a writer can use more than one metadata tag.
The right behaviour would be to append any new metadata list to the existing one.
Closing. This was fixed in 0.6.2.