[Oisf-devel] Suricata FN on http reply with file_data.

Victor Julien victor at inliniac.net
Thu Jun 28 08:58:17 UTC 2012


In Suricata, file_data inspects a normalized buffer. It's max size can
be controlled for performance reasons. Most signatures look at the start
of a body, so inspecting all of it can be wasteful. But you can increase
it or set it to unlimited (0), which will inspect all.

On 06/27/2012 12:54 AM, rmkml wrote:
> Thx you Victor,
> 
> but in my mind, file_data is like a flag (or flowbits), and Im search
> only one word "dartiframe" with file_data flag.
> 
> but why need enlarge response-body-limit, and not simply flag file_data
> (like flowbits) + dartiframe ?
> 
> 
> Need enlarge response-body-limit if I search flag file_data + content
> and within/depth + another content within/depth...
> 
> What do you think please?
> Best Regards
> Rmkml
> 
> 
> On Mon, 25 Jun 2012, Victor Julien wrote:
> 
>> On 06/25/2012 02:33 AM, rmkml wrote:
>>> Hi,
>>>
>>> First, Congratulations for all hard works and last fix.
>>>
>>>
>>> Second, ok I download a web page on CNN web site :
>>>  wget http://www.cnn.com/
>>> (wget=without http reply compression)
>>>
>>> ok and write network with tcpdump :
>>>  sudo tcpdump -s 0 -i any -w exemple_http_reply.pcap tcp port 80
>>>  tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
>>> size 65535 bytes
>>>  123 packets captured
>>>  123 packets received by filter
>>>  0 packets dropped by kernel
>>>
>>> For example, search "dartiframe" word with grep :
>>>  grep dartiframe exemple_http_reply.pcap
>>>  Fichier binaire exemple_http_reply.pcap concordant
>>> (appear one time on ending pcap)
>>>
>>> Next step, create a new signature for detecting this word with
>>> file_data:
>>>  alert tcp any 80 -> any any (msg:"test dartiframe 1";
>>> flow:to_client,established; file_data; content:"dartiframe"; nocase;
>>> distance:0; classtype:web-application-activity; sid:395295; rev:1;)
>>> (same result with or without distance)
>>>
>>> and create another new signature for detecting this word without
>>> file_data:
>>>  alert tcp any 80 -> any any (msg:"test dartiframe 2";
>>> flow:to_client,established; content:"dartiframe"; nocase;
>>> classtype:web-application-activity; sid:395296; rev:1;)
>>>
>>>
>>> ok start suricata v1.2.1 or last today git:
>>>  suricata-1.2.1 -c suricata.yaml_130 -r exemple_http_reply.pcap
>>>  suricata-1.3beta2git24juin2012 -c suricata.yaml_130 -r
>>> exemple_http_reply.pcap
>>>
>>> ok, 395296 always fire
>>> nok, 395295 never not fire
>>>
>>> Anyone check this please?
>>> If you confirm, Im open a new redmine ticket for this.
>>> Of course, snort always fire.
>>>
>>> Im use default suricata conf, maybe need enlarge like http reply buffer?
>>
>> Increasing the response-body-limits makes the alert appear again, so
>> it's a configuration issue.
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------






More information about the Oisf-devel mailing list