[Oisf-devel] Suricata FN on http reply with file_data.
rmkml
rmkml at yahoo.fr
Tue Jun 26 22:54:30 UTC 2012
Thx you Victor,
but in my mind, file_data is like a flag (or flowbits), and Im search only one word "dartiframe" with file_data flag.
but why need enlarge response-body-limit, and not simply flag file_data (like flowbits) + dartiframe ?
Need enlarge response-body-limit if I search flag file_data + content and within/depth + another content within/depth...
What do you think please?
Best Regards
Rmkml
On Mon, 25 Jun 2012, Victor Julien wrote:
> On 06/25/2012 02:33 AM, rmkml wrote:
>> Hi,
>>
>> First, Congratulations for all hard works and last fix.
>>
>>
>> Second, ok I download a web page on CNN web site :
>> wget http://www.cnn.com/
>> (wget=without http reply compression)
>>
>> ok and write network with tcpdump :
>> sudo tcpdump -s 0 -i any -w exemple_http_reply.pcap tcp port 80
>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
>> size 65535 bytes
>> 123 packets captured
>> 123 packets received by filter
>> 0 packets dropped by kernel
>>
>> For example, search "dartiframe" word with grep :
>> grep dartiframe exemple_http_reply.pcap
>> Fichier binaire exemple_http_reply.pcap concordant
>> (appear one time on ending pcap)
>>
>> Next step, create a new signature for detecting this word with file_data:
>> alert tcp any 80 -> any any (msg:"test dartiframe 1";
>> flow:to_client,established; file_data; content:"dartiframe"; nocase;
>> distance:0; classtype:web-application-activity; sid:395295; rev:1;)
>> (same result with or without distance)
>>
>> and create another new signature for detecting this word without file_data:
>> alert tcp any 80 -> any any (msg:"test dartiframe 2";
>> flow:to_client,established; content:"dartiframe"; nocase;
>> classtype:web-application-activity; sid:395296; rev:1;)
>>
>>
>> ok start suricata v1.2.1 or last today git:
>> suricata-1.2.1 -c suricata.yaml_130 -r exemple_http_reply.pcap
>> suricata-1.3beta2git24juin2012 -c suricata.yaml_130 -r
>> exemple_http_reply.pcap
>>
>> ok, 395296 always fire
>> nok, 395295 never not fire
>>
>> Anyone check this please?
>> If you confirm, Im open a new redmine ticket for this.
>> Of course, snort always fire.
>>
>> Im use default suricata conf, maybe need enlarge like http reply buffer?
>
> Increasing the response-body-limits makes the alert appear again, so
> it's a configuration issue.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
More information about the Oisf-devel
mailing list