[Oisf-devel] FN on http POST query suricata v1.2.1?

Anoop Saldanha anoopsaldanha at gmail.com
Thu Apr 19 09:54:10 UTC 2012 

On Thu, Apr 19, 2012 at 1:57 PM, Peter Manev <petermanev at gmail.com> wrote:
>
>
> On Thu, Apr 19, 2012 at 10:13 AM, Victor Julien <victor at inliniac.net> wrote:
>>
>> On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
>> > For what its worth:
>> >
>> > # tcpdump -s0 -i eth0 -w test.pcap &
>> > # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>> >
>> > Then I run suricata on the pcap:
>> > # suricata --runmode single -c suricata.yaml -r test.pcap
>> >
>> > #### Events:
>> > 04/19/2012-09:20:21.738662  [**] [1:90011669:1] FN suricata [**]
>> > [Classification: access to a potentially vulnerable web application]
>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>> > 04/19/2012-09:20:21.738662  [**] [1:90011668:1] FN suricata [**]
>> > [Classification: access to a potentially vulnerable web application]
>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>> > 04/19/2012-09:20:21.738662  [**] [1:90011667:1] FN suricata [**]
>> > [Classification: access to a potentially vulnerable web application]
>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>> >
>> > I run without checksum validation.
>> >
>> > Tested on two versions of suricata:
>> > 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
>> >   (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
>> > right now)
>> > 2: This is Suricata version 1.3dev (rev fbe0206)
>>
>> Thanks for checking. Maybe it's related to the ECN and CWR flags that
>> are set on the first 2 packets.
>>
> I think it has something to do with the Congestion Notification - because if
> run with rmkml pcap - i get the rmkml's results.
> But as Edward has done - i get spot on results.
>
>
>
>>
>> Cheers,
>> Victor
>>
>>
>> > E
>> >
>> >
>> > On 04/19/2012 01:58 AM, rmkml wrote:
>> >> Hi,
>> >>
>> >> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
>> >> strange results with these sigs not fire:
>> >>
>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>> >> flow:to_server,established; isdataat:1;
>> >> classtype:web-application-activity; sid:90011667; rev:1;)
>> >>
>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>> >> flow:to_server,established; pcre:"/^[^\n]{5}/P";
>> >> classtype:web-application-activity; sid:90011668; rev:1;)
>> >>
>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>> >> flow:to_server,established; content:"galid"; nocase; http_client_body;
>> >> classtype:web-application-activity; sid:90011669; rev:1;)
>> >>
>> >>
>> >> Tested with these two http commands:
>> >>  wget http://192.168.1.1/abcd.php
>> >> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>> >>  curl http://192.168.1.1/abcd.php --data
>> >> "galid=abcdzad&dzadzza=dzadzdza"
>> >>
>> >> Joigned my two pcap for replaying.
>> >> No suricata error.
>> >> Disabled cksum validation.
>> >>
>> >> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
>> >> open a new redmine ticket.
>> >> Of course, snort always fire.
>> >> Regards
>> >> Rmkml
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

I haven't run it as yet, but it looks like a bug since converting the
rule into a packet rule gives me an alert.  You can open a bug on
this.  Thanks rmkml.

-- 
Anoop Saldanha

More information about the Oisf-devel mailing list