[Oisf-devel] Suricata FN on http reply with file_data.

[rmkml]

Hi,

First, Congratulations for all hard works and last fix.


Second, ok I download a web page on CNN web site :
  wget http://www.cnn.com/
(wget=without http reply compression)

ok and write network with tcpdump :
  sudo tcpdump -s 0 -i any -w exemple_http_reply.pcap tcp port 80
  tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
  123 packets captured
  123 packets received by filter
  0 packets dropped by kernel

For example, search "dartiframe" word with grep :
  grep dartiframe exemple_http_reply.pcap
  Fichier binaire exemple_http_reply.pcap concordant
(appear one time on ending pcap)

Next step, create a new signature for detecting this word with file_data:
  alert tcp any 80 -> any any (msg:"test dartiframe 1"; flow:to_client,established; file_data; content:"dartiframe"; nocase; distance:0; classtype:web-application-activity; sid:395295; rev:1;)
(same result with or without distance)

and create another new signature for detecting this word without file_data:
  alert tcp any 80 -> any any (msg:"test dartiframe 2"; flow:to_client,established; content:"dartiframe"; nocase; classtype:web-application-activity; sid:395296; rev:1;)


ok start suricata v1.2.1 or last today git:
  suricata-1.2.1 -c suricata.yaml_130 -r exemple_http_reply.pcap
  suricata-1.3beta2git24juin2012 -c suricata.yaml_130 -r exemple_http_reply.pcap

ok, 395296 always fire
nok, 395295 never not fire

Anyone check this please?
If you confirm, Im open a new redmine ticket for this.
Of course, snort always fire.

Im use default suricata conf, maybe need enlarge like http reply buffer?

Regards
Rmkml

http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_http_reply.pcap.gz
Type: application/x-gzip
Size: 24013 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120625/587553b8/attachment.bin>