<br><br><div class="gmail_quote">On Sat, Oct 22, 2011 at 10:31 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:poonaatsoc@gmail.com">poonaatsoc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Sat, Oct 22, 2011 at 1:58 AM, rmkml <<a href="mailto:rmkml@yahoo.fr">rmkml@yahoo.fr</a>> wrote:<br>
> Hi David and Anoop,<br>
> I have same pb and I search why...<br>
> Simply record network trafic and go to google for example (wget without<br>
> compression)...<br>
> I have removed threshold option: same pb.<br>
> changed to "alert tcp..." and suricata fire.<br>
> Im use suricata v105.<br>
> Regards<br>
> Rmkml<br>
><br>
><br>
<br>
</div>On our currrent master, I get the alert with the original unmodified<br>
rule(alert http itself) rule(as long as my home_net matches the ip).<br>
So no issues with master.<br>
<br>
On v105, it seems that on some runs I get the alert and a couple of<br>
other run I don't see it. So looks like a v105 specific thing. Will<br>
need to inspect it more.<br>
<div><div></div><div class="h5"><br>
> On Sat, 22 Oct 2011, Anoop Saldanha wrote:<br>
><br>
>> On Sat, Oct 22, 2011 at 12:06 AM, <<a href="mailto:David.R.Wharton@regions.com">David.R.Wharton@regions.com</a>> wrote:<br>
>>><br>
>>> I have a question about application layer traffic identification and rule<br>
>>> matches based on it, specifically http. I have this rule from<br>
>>> emerging-policy.rules:<br>
>>><br>
>>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming<br>
>>> Basic<br>
>>> Auth Base64 HTTP Password detected unencrypted";<br>
>>> flow:established,to_server;<br>
>>> content:"|0d 0a|Authorization|3a 20|Basic"; nocase;<br>
>>> content:!"YW5vbnltb3VzOg=="; within:32; threshold: type both, count 1,<br>
>>> seconds 300, track by_src;<br>
>>> reference:url,<a href="http://doc.emergingthreats.net/bin/view/Main/2006402" target="_blank">doc.emergingthreats.net/bin/view/Main/2006402</a>;<br>
>>> classtype:policy-violation; sid:2006402; rev:10;)<br>
>>><br>
>>> And I have this traffic:<br>
>>><br>
>>> 13:42:09.149477 IP e.x.t.n.51978 > h.o.m.e.80: S 3741764774:3741764774(0)<br>
>>> win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK><br>
>>> E .4.3@.1..Xb..9...^M.<br>
>>> .P.......... .................<br>
>>> 13:42:09.149796 IP h.o.m.e.80 > e.x.t.n.51978: S <a href="tel:2299323222" value="+12299323222">2299323222</a>:2299323222(0)<br>
>>> ack 3741764775 win 32768 <mss 1460><br>
>>> E .,...........^Mb..9.P.<br>
>>> ...V....`.............<br>
>>> 13:42:09.211776 IP e.x.t.n.51978 > h.o.m.e.80: . ack 1 win 17520<br>
>>> E .(.;@.1..\b..9...^M.<br>
>>> .P.......WP.DpL.........<br>
>>> 13:42:09.216761 IP e.x.t.n.51978 > h.o.m.e.80: P 1:196(195) ack 1 win<br>
>>> 17520<br>
>>> E ...<@.1.<br>
>>> .b..9...^M.<br>
>>> .P.......WP.Dp....GET / HTTP/1.1<br>
>>> Accept:<br>
>>> Cache-Control: no-cache<br>
>>> Authorization: Basic Og==<br>
>>> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101<br>
>>> Firefox/7.0.1<br>
>>> Host: <a href="http://www.mydomain.com" target="_blank">www.mydomain.com</a><br>
>>> Connection: Close<br>
>>> Pragma: no-cache<br>
>>><br>
>>><br>
>>> Yet the rule does not alert as it should. The packet that should set off<br>
>>> the alert is the first one after the TCP three way handshake. At this<br>
>>> point<br>
>>> does the engine not have enough data to classify this stream as http and<br>
>>> thus the rule is not firing? I sincerely hope that is not the case....<br>
>>><br>
>>> I have double checked my variables and this should fire; the snort<br>
>>> version<br>
>>> (alert tcp) does fire as expected in snort.<br>
>>><br>
>>> Thank you.<br>
>>><br>
>>> -David<br>
>>> _______________________________________________<br>
>>> Oisf-devel mailing list<br>
>>> <a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
>>><br>
>>><br>
>><br>
>> Can you share the pcap for this? You can send it privately if you want<br>
>> to.<br>
>><br>
>> --<br>
>> Anoop Saldanha<br>
>> _______________________________________________<br>
>> Oisf-devel mailing list<br>
>> <a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
><br>
<br>
<br>
<br>
--<br>
Anoop Saldanha<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</div></div></blockquote></div>Hi ,<br><br>When I simply read a pcap crafted for that rule - it does fire with git master. Same results as Anoops basically.<br>However a private pcap with suri yaml (mask out the nets if you have to ) would be more helpful I believe.<br>
<br>Thanks<br><br clear="all"><br>-- <br>Peter Manev<br>
<style>#avg_ls_inline_popup{position:absolute;z-index:9999;padding:0px;margin:0px;overflow:hidden;wordWrap:break-word;color:black;font-size:10px;text-align:left;line-height:130%;}#avg_ls_inline_popup div{border-width:3px;border-style:solid;padding:3px;padding-left:8px;padding-right:8px;-moz-border-radius:5px;-webkit-border-radius:5px;}#avg_ls_inline_popup .red{border-color:#D20003;;background-color:#F5D4C1;;}#avg_ls_inline_popup .orange{border-color:#F57301;;background-color:#FFD3B0;;}#avg_ls_inline_popup .yellow{border-color:#EAA500;;background-color:#FEEFAE;;}#avg_ls_inline_popup .green{border-color:#00A120;;background-color:#C3E5CA;;}</style><div style="visibility: hidden; left: -5000px;" id="avg_ls_inline_popup">
</div>