Rule SID 2064326 “ET INFO Python aiohttp User-Agent Observed Inbound” has conflicting severity indicators, causing false positives in downstream security tools.
This rule has:
- severity: 1 in Suricata alert output (critical)
- signature_severity: Informational in metadata
- Name prefix “ET INFO” (informational alert)
normal HTTP requests from Python aiohttp clients to my own web server triggered instant IP bans due to severity:1
ET INFO rules should have severity:2 or severity:3, matching their informational classification.
- Suricata 8.0.2 on Ubuntu 24.04
- ET Open ruleset (updated 2026-01-17 via suricata-update)
If this is the wrong place for bug reports then please redirect me to the proper location.
Hello @Hans2026 ! In the rule text the severity is informational, as below:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Python aiohttp User-Agent Observed Inbound"; flow:established,to_server; http.user_agent; content:"python/"; startswith; nocase; content:"aiohttp/"; within:20; nocase; fast_pattern; reference:url,cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift; classtype:trojan-activity; sid:2064326; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state plaintext, created_at 2025_09_04, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_04; target:dest_ip;)
Are you doing perhaps some pre or post-processing of the rules, or is a tool interpreting the severity incorrectly?
Hi rgonzales/ET Team,
That looks to be the case indeed. I feed this to Suricata and it assigns alert severity from the classtype, not from signature_severity in metadata.
This rule has: classtype:trojan-activity
In Suricata’s default classification.config, trojan-activity maps to priority 1:
config classification: trojan-activity,A Network Trojan was detected,1
So when Suricata writes to eve.json, the alert gets “severity”: 1, regardless of what signature_severity says in metadata.
And next CrowdSec acts on the severity field, not the metadata.
Should the classtype perhaps be misc-activity (priority 3) instead of trojan-activity for an ET INFO rule? I think most Python aiohttp is legitimate traffic, not a trojan.
– Hans
2 Likes
Hello @Hans2026
Thanks for pointing this out! I went through the rest of the ruleset and adjusted the metadata so there should no longer be any INFO signatures with a priority 1 classification, let us know if you see any other oddities and we’re happy to help!
Cheers,
Isaac
1 Like