[Oisf-devel] Suricata FN on http reply with file_data.
rmkml
rmkml at yahoo.fr
Thu Jun 28 22:25:45 UTC 2012
Hi Victor,
Yes Im understand, for memory/performance reason,
but for a only content with distance (after file_data): why not simply flag like flowbits on this "special" case?
Regards
Rmkml
On Thu, 28 Jun 2012, Victor Julien wrote:
> In Suricata, file_data inspects a normalized buffer. It's max size can
> be controlled for performance reasons. Most signatures look at the start
> of a body, so inspecting all of it can be wasteful. But you can increase
> it or set it to unlimited (0), which will inspect all.
>
> On 06/27/2012 12:54 AM, rmkml wrote:
>> Thx you Victor,
>>
>> but in my mind, file_data is like a flag (or flowbits), and Im search
>> only one word "dartiframe" with file_data flag.
>>
>> but why need enlarge response-body-limit, and not simply flag file_data
>> (like flowbits) + dartiframe ?
>>
>>
>> Need enlarge response-body-limit if I search flag file_data + content
>> and within/depth + another content within/depth...
>>
>> What do you think please?
>> Best Regards
>> Rmkml
>>
>>
>> On Mon, 25 Jun 2012, Victor Julien wrote:
>>
>>> On 06/25/2012 02:33 AM, rmkml wrote:
>>>> Hi,
>>>>
>>>> First, Congratulations for all hard works and last fix.
>>>>
>>>>
>>>> Second, ok I download a web page on CNN web site :
>>>> wget http://www.cnn.com/
>>>> (wget=without http reply compression)
>>>>
>>>> ok and write network with tcpdump :
>>>> sudo tcpdump -s 0 -i any -w exemple_http_reply.pcap tcp port 80
>>>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
>>>> size 65535 bytes
>>>> 123 packets captured
>>>> 123 packets received by filter
>>>> 0 packets dropped by kernel
>>>>
>>>> For example, search "dartiframe" word with grep :
>>>> grep dartiframe exemple_http_reply.pcap
>>>> Fichier binaire exemple_http_reply.pcap concordant
>>>> (appear one time on ending pcap)
>>>>
>>>> Next step, create a new signature for detecting this word with
>>>> file_data:
>>>> alert tcp any 80 -> any any (msg:"test dartiframe 1";
>>>> flow:to_client,established; file_data; content:"dartiframe"; nocase;
>>>> distance:0; classtype:web-application-activity; sid:395295; rev:1;)
>>>> (same result with or without distance)
>>>>
>>>> and create another new signature for detecting this word without
>>>> file_data:
>>>> alert tcp any 80 -> any any (msg:"test dartiframe 2";
>>>> flow:to_client,established; content:"dartiframe"; nocase;
>>>> classtype:web-application-activity; sid:395296; rev:1;)
>>>>
>>>>
>>>> ok start suricata v1.2.1 or last today git:
>>>> suricata-1.2.1 -c suricata.yaml_130 -r exemple_http_reply.pcap
>>>> suricata-1.3beta2git24juin2012 -c suricata.yaml_130 -r
>>>> exemple_http_reply.pcap
>>>>
>>>> ok, 395296 always fire
>>>> nok, 395295 never not fire
>>>>
>>>> Anyone check this please?
>>>> If you confirm, Im open a new redmine ticket for this.
>>>> Of course, snort always fire.
>>>>
>>>> Im use default suricata conf, maybe need enlarge like http reply buffer?
>>>
>>> Increasing the response-body-limits makes the alert appear again, so
>>> it's a configuration issue.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
>
More information about the Oisf-devel
mailing list