[Oisf-devel] FN on http POST query suricata v1.2.1?

Edward Fjellskål edwardfjellskaal at gmail.com
Thu Apr 19 08:03:43 UTC 2012 

For what its worth:

# tcpdump -s0 -i eth0 -w test.pcap &
# curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"

Then I run suricata on the pcap:
# suricata --runmode single -c suricata.yaml -r test.pcap

#### Events:
04/19/2012-09:20:21.738662  [**] [1:90011669:1] FN suricata [**] 
[Classification: access to a potentially vulnerable web application] 
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
04/19/2012-09:20:21.738662  [**] [1:90011668:1] FN suricata [**] 
[Classification: access to a potentially vulnerable web application] 
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
04/19/2012-09:20:21.738662  [**] [1:90011667:1] FN suricata [**] 
[Classification: access to a potentially vulnerable web application] 
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80

I run without checksum validation.

Tested on two versions of suricata:
1: This is Suricata version 1.1beta2 (rev 58d7cb2)
   (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into 
right now)
2: This is Suricata version 1.3dev (rev fbe0206)

E


On 04/19/2012 01:58 AM, rmkml wrote:
> Hi,
>
> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found 
> strange results with these sigs not fire:
>
> alert tcp any any -> any 80 (msg:"FN suricata"; 
> flow:to_server,established; isdataat:1; 
> classtype:web-application-activity; sid:90011667; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata"; 
> flow:to_server,established; pcre:"/^[^\n]{5}/P"; 
> classtype:web-application-activity; sid:90011668; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata"; 
> flow:to_server,established; content:"galid"; nocase; http_client_body; 
> classtype:web-application-activity; sid:90011669; rev:1;)
>
>
> Tested with these two http commands:
>  wget http://192.168.1.1/abcd.php 
> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>  curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>
> Joigned my two pcap for replaying.
> No suricata error.
> Disabled cksum validation.
>
> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im 
> open a new redmine ticket.
> Of course, snort always fire.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/9437a722/attachment-0002.html>

More information about the Oisf-devel mailing list