[Oisf-devel] FN on http POST query suricata v1.2.1?
Victor Julien
victor at inliniac.net
Tue Apr 24 12:18:39 UTC 2012
These patches are now in the git master. Thanks guys!
On 04/20/2012 11:16 AM, Anoop Saldanha wrote:
> Patches attached in the bug that fixes the FNs. Should be in the
> master in sometime. Meanwhile you can test the patches.
>
> On Fri, Apr 20, 2012 at 1:00 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi Anoop, Peter and Edward.
>> Opened redmine ticket #452.
>> Edward: Can you share your pcap please? (for Im try replay)
>> Best Regards
>> Rmkml
>>
>>
>>
>> On Thu, 19 Apr 2012, Anoop Saldanha wrote:
>>
>>> On Thu, Apr 19, 2012 at 1:57 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> On Thu, Apr 19, 2012 at 10:13 AM, Victor Julien <victor at inliniac.net>
>>>> wrote:
>>>>>
>>>>>
>>>>> On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
>>>>>> For what its worth:
>>>>>>
>>>>>> # tcpdump -s0 -i eth0 -w test.pcap &
>>>>>> # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>>>>>>
>>>>>> Then I run suricata on the pcap:
>>>>>> # suricata --runmode single -c suricata.yaml -r test.pcap
>>>>>>
>>>>>> #### Events:
>>>>>> 04/19/2012-09:20:21.738662 [**] [1:90011669:1] FN suricata [**]
>>>>>> [Classification: access to a potentially vulnerable web application]
>>>>>> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>>>> 04/19/2012-09:20:21.738662 [**] [1:90011668:1] FN suricata [**]
>>>>>> [Classification: access to a potentially vulnerable web application]
>>>>>> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>>>> 04/19/2012-09:20:21.738662 [**] [1:90011667:1] FN suricata [**]
>>>>>> [Classification: access to a potentially vulnerable web application]
>>>>>> [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>>>>
>>>>>> I run without checksum validation.
>>>>>>
>>>>>> Tested on two versions of suricata:
>>>>>> 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
>>>>>> (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
>>>>>> right now)
>>>>>> 2: This is Suricata version 1.3dev (rev fbe0206)
>>>>>
>>>>> Thanks for checking. Maybe it's related to the ECN and CWR flags that
>>>>> are set on the first 2 packets.
>>>>>
>>>> I think it has something to do with the Congestion Notification - because
>>>> if
>>>> run with rmkml pcap - i get the rmkml's results.
>>>> But as Edward has done - i get spot on results.
>>>>
>>>>
>>>>
>>>>>
>>>>> Cheers,
>>>>> Victor
>>>>>
>>>>>
>>>>>> E
>>>>>>
>>>>>>
>>>>>> On 04/19/2012 01:58 AM, rmkml wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
>>>>>>> strange results with these sigs not fire:
>>>>>>>
>>>>>>> alert tcp any any -> any 80 (msg:"FN suricata";
>>>>>>> flow:to_server,established; isdataat:1;
>>>>>>> classtype:web-application-activity; sid:90011667; rev:1;)
>>>>>>>
>>>>>>> alert tcp any any -> any 80 (msg:"FN suricata";
>>>>>>> flow:to_server,established; pcre:"/^[^\n]{5}/P";
>>>>>>> classtype:web-application-activity; sid:90011668; rev:1;)
>>>>>>>
>>>>>>> alert tcp any any -> any 80 (msg:"FN suricata";
>>>>>>> flow:to_server,established; content:"galid"; nocase;
>>>>>>> http_client_body;
>>>>>>> classtype:web-application-activity; sid:90011669; rev:1;)
>>>>>>>
>>>>>>>
>>>>>>> Tested with these two http commands:
>>>>>>> wget http://192.168.1.1/abcd.php
>>>>>>> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>>>>>>> curl http://192.168.1.1/abcd.php --data
>>>>>>> "galid=abcdzad&dzadzza=dzadzdza"
>>>>>>>
>>>>>>> Joigned my two pcap for replaying.
>>>>>>> No suricata error.
>>>>>>> Disabled cksum validation.
>>>>>>>
>>>>>>> Im sure Im totaly wrong but if someone check/confirm please ? if ok
>>>>>>> Im
>>>>>>> open a new redmine ticket.
>>>>>>> Of course, snort always fire.
>>>>>>> Regards
>>>>>>> Rmkml
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>
>>>
>>>
>>> I haven't run it as yet, but it looks like a bug since converting the
>>> rule into a packet rule gives me an alert. You can open a bug on
>>> this. Thanks rmkml.
>>>
>>> --
>>> Anoop Saldanha
>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list