[Oisf-devel] FN on http POST query suricata v1.2.1?

Victor Julien victor at inliniac.net
Thu Apr 19 08:13:33 UTC 2012 

On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
> For what its worth:
> 
> # tcpdump -s0 -i eth0 -w test.pcap &
> # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
> 
> Then I run suricata on the pcap:
> # suricata --runmode single -c suricata.yaml -r test.pcap
> 
> #### Events:
> 04/19/2012-09:20:21.738662  [**] [1:90011669:1] FN suricata [**]
> [Classification: access to a potentially vulnerable web application]
> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
> 04/19/2012-09:20:21.738662  [**] [1:90011668:1] FN suricata [**]
> [Classification: access to a potentially vulnerable web application]
> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
> 04/19/2012-09:20:21.738662  [**] [1:90011667:1] FN suricata [**]
> [Classification: access to a potentially vulnerable web application]
> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
> 
> I run without checksum validation.
> 
> Tested on two versions of suricata:
> 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
>   (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
> right now)
> 2: This is Suricata version 1.3dev (rev fbe0206)

Thanks for checking. Maybe it's related to the ECN and CWR flags that
are set on the first 2 packets.

Cheers,
Victor


> E
> 
> 
> On 04/19/2012 01:58 AM, rmkml wrote:
>> Hi,
>>
>> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
>> strange results with these sigs not fire:
>>
>> alert tcp any any -> any 80 (msg:"FN suricata";
>> flow:to_server,established; isdataat:1;
>> classtype:web-application-activity; sid:90011667; rev:1;)
>>
>> alert tcp any any -> any 80 (msg:"FN suricata";
>> flow:to_server,established; pcre:"/^[^\n]{5}/P";
>> classtype:web-application-activity; sid:90011668; rev:1;)
>>
>> alert tcp any any -> any 80 (msg:"FN suricata";
>> flow:to_server,established; content:"galid"; nocase; http_client_body;
>> classtype:web-application-activity; sid:90011669; rev:1;)
>>
>>
>> Tested with these two http commands:
>>  wget http://192.168.1.1/abcd.php
>> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>>  curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>>
>> Joigned my two pcap for replaying.
>> No suricata error.
>> Disabled cksum validation.
>>
>> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
>> open a new redmine ticket.
>> Of course, snort always fire.
>> Regards
>> Rmkml


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list