[Oisf-devel] Suricata not fire on http reply detect if request are not http...
rmkml
rmkml at yahoo.fr
Sat May 19 22:39:46 UTC 2012
Hi Anoop,
Thx you, Im opened redmine ticket #463.
Best Regards
Rmkml
On Sat, 19 May 2012, Anoop Saldanha wrote:
> On Sat, May 19, 2012 at 5:16 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> ok Im continue my Suricata testing, Someone check this please? (if
>> yes/confirm, Im open a new ticket)
>>
>> ok first, send this traffic (Secure...) on http connection:
>> telnet www.microsoft.com 80 # sorry
>> Trying 65.55.57.80...
>> Connected to www.microsoft.com.
>> Escape character is '^]'.
>> C->S: Secure * Secure-HTTP/1.4
>> S->C: HTTP/1.1 400 Bad Request
>> ...
>>
>> -> ok Im send unknown "Secure" http method and wrong uri and bad http
>> version...
>>
>>
>> next, use only two Suricata signatures:
>>
>> not fire:
>> alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established;
>> content:"400"; http_stat_code; classtype:web-application-attack; sid:11;
>> rev:1;)
>>
>> fire:
>> alert tcp any 80 -> any any (msg:"test2"; flow:to_client,established;
>> content:" 400 Bad Request"; nocase; classtype:web-application-attack;
>> sid:12; rev:1;)
>>
>>
>> ok: http request side are not http
>> but http reply side are http: why suricata not fire please? (of course snort
>> fire with same sigs)
>>
>> Tested on suricata git at 16 May 2012. same results with v1.2.1.
>>
>> Joigned a pcap for example.
>>
>> Regards
>> Rmkml
>>
>> http://twitter.com/rmkml
>
> Hi,
>
> Actually this is one of the scenarios where our protocol detection
> fails and we don't send the http stream to our htp parser. This will
> be fixed when we fix/update our app layer proto detection.
>
> You can open a bug on this. Thanks
>
> --
> Anoop Saldanha
>
More information about the Oisf-devel
mailing list