[Oisf-devel] FN on http POST query suricata v1.2.1?

Peter Manev petermanev at gmail.com
Thu Apr 19 08:27:00 UTC 2012 

On Thu, Apr 19, 2012 at 10:13 AM, Victor Julien <victor at inliniac.net> wrote:

> On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
> > For what its worth:
> >
> > # tcpdump -s0 -i eth0 -w test.pcap &
> > # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
> >
> > Then I run suricata on the pcap:
> > # suricata --runmode single -c suricata.yaml -r test.pcap
> >
> > #### Events:
> > 04/19/2012-09:20:21.738662  [**] [1:90011669:1] FN suricata [**]
> > [Classification: access to a potentially vulnerable web application]
> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<http://195.88.54.16/>
> > 04/19/2012-09:20:21.738662  [**] [1:90011668:1] FN suricata [**]
> > [Classification: access to a potentially vulnerable web application]
> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<http://195.88.54.16/>
> > 04/19/2012-09:20:21.738662  [**] [1:90011667:1] FN suricata [**]
> > [Classification: access to a potentially vulnerable web application]
> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<http://195.88.54.16/>
> >
> > I run without checksum validation.
> >
> > Tested on two versions of suricata:
> > 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
> >   (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
> > right now)
> > 2: This is Suricata version 1.3dev (rev fbe0206)
>
> Thanks for checking. Maybe it's related to the ECN and CWR flags that
> are set on the first 2 packets.
>
> I think it has something to do with the Congestion Notification - because
if run with rmkml pcap - i get the rmkml's results.
But as Edward has done - i get spot on results.




> Cheers,
> Victor
>
>
> > E
> >
> >
> > On 04/19/2012 01:58 AM, rmkml wrote:
> >> Hi,
> >>
> >> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
> >> strange results with these sigs not fire:
> >>
> >> alert tcp any any -> any 80 (msg:"FN suricata";
> >> flow:to_server,established; isdataat:1;
> >> classtype:web-application-activity; sid:90011667; rev:1;)
> >>
> >> alert tcp any any -> any 80 (msg:"FN suricata";
> >> flow:to_server,established; pcre:"/^[^\n]{5}/P";
> >> classtype:web-application-activity; sid:90011668; rev:1;)
> >>
> >> alert tcp any any -> any 80 (msg:"FN suricata";
> >> flow:to_server,established; content:"galid"; nocase; http_client_body;
> >> classtype:web-application-activity; sid:90011669; rev:1;)
> >>
> >>
> >> Tested with these two http commands:
> >>  wget http://192.168.1.1/abcd.php
> >> --post-data="galid=abcdzad&dzadzza=dzadzdza"
> >>  curl http://192.168.1.1/abcd.php --data
> "galid=abcdzad&dzadzza=dzadzdza"
> >>
> >> Joigned my two pcap for replaying.
> >> No suricata error.
> >> Disabled cksum validation.
> >>
> >> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
> >> open a new redmine ticket.
> >> Of course, snort always fire.
> >> Regards
> >> Rmkml
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/ed2d35cb/attachment-0002.html>

More information about the Oisf-devel mailing list