[Oisf-devel] Suricata FN on http reply with file_data.

Victor Julien victor at inliniac.net
Mon Jun 25 07:31:53 UTC 2012 

On 06/25/2012 02:33 AM, rmkml wrote:
> Hi,
> 
> First, Congratulations for all hard works and last fix.
> 
> 
> Second, ok I download a web page on CNN web site :
>  wget http://www.cnn.com/
> (wget=without http reply compression)
> 
> ok and write network with tcpdump :
>  sudo tcpdump -s 0 -i any -w exemple_http_reply.pcap tcp port 80
>  tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
> size 65535 bytes
>  123 packets captured
>  123 packets received by filter
>  0 packets dropped by kernel
> 
> For example, search "dartiframe" word with grep :
>  grep dartiframe exemple_http_reply.pcap
>  Fichier binaire exemple_http_reply.pcap concordant
> (appear one time on ending pcap)
> 
> Next step, create a new signature for detecting this word with file_data:
>  alert tcp any 80 -> any any (msg:"test dartiframe 1";
> flow:to_client,established; file_data; content:"dartiframe"; nocase;
> distance:0; classtype:web-application-activity; sid:395295; rev:1;)
> (same result with or without distance)
> 
> and create another new signature for detecting this word without file_data:
>  alert tcp any 80 -> any any (msg:"test dartiframe 2";
> flow:to_client,established; content:"dartiframe"; nocase;
> classtype:web-application-activity; sid:395296; rev:1;)
> 
> 
> ok start suricata v1.2.1 or last today git:
>  suricata-1.2.1 -c suricata.yaml_130 -r exemple_http_reply.pcap
>  suricata-1.3beta2git24juin2012 -c suricata.yaml_130 -r
> exemple_http_reply.pcap
> 
> ok, 395296 always fire
> nok, 395295 never not fire
> 
> Anyone check this please?
> If you confirm, Im open a new redmine ticket for this.
> Of course, snort always fire.
> 
> Im use default suricata conf, maybe need enlarge like http reply buffer?

Increasing the response-body-limits makes the alert appear again, so
it's a configuration issue.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list