<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
For what its worth:<br>
<br>
# tcpdump -s0 -i eth0 -w test.pcap &<br>
# curl <a class="moz-txt-link-freetext" href="http://vg.no/abcd.php">http://vg.no/abcd.php</a> --data
"galid=abcdzad&dzadzza=dzadzdza"<br>
<br>
Then I run suricata on the pcap:<br>
# suricata --runmode single -c suricata.yaml -r test.pcap<br>
<br>
#### Events:<br>
04/19/2012-09:20:21.738662 [**] [1:90011669:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<br>
04/19/2012-09:20:21.738662 [**] [1:90011668:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<br>
04/19/2012-09:20:21.738662 [**] [1:90011667:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80<br>
<br>
I run without checksum validation.<br>
<br>
Tested on two versions of suricata:<br>
1: This is Suricata version 1.1beta2 (rev 58d7cb2)<br>
(1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
right now)<br>
2: This is Suricata version 1.3dev (rev fbe0206)<br>
<br>
E<br>
<br>
<br>
On 04/19/2012 01:58 AM, rmkml wrote:
<blockquote
cite="mid:alpine.LFD.2.01.1204190057540.1843@lenovo.localdomain"
type="cite">Hi,
<br>
<br>
Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
strange results with these sigs not fire:
<br>
<br>
alert tcp any any -> any 80 (msg:"FN suricata";
flow:to_server,established; isdataat:1;
classtype:web-application-activity; sid:90011667; rev:1;)
<br>
<br>
alert tcp any any -> any 80 (msg:"FN suricata";
flow:to_server,established; pcre:"/^[^\n]{5}/P";
classtype:web-application-activity; sid:90011668; rev:1;)
<br>
<br>
alert tcp any any -> any 80 (msg:"FN suricata";
flow:to_server,established; content:"galid"; nocase;
http_client_body; classtype:web-application-activity;
sid:90011669; rev:1;)
<br>
<br>
<br>
Tested with these two http commands:
<br>
wget <a class="moz-txt-link-freetext" href="http://192.168.1.1/abcd.php">http://192.168.1.1/abcd.php</a>
--post-data="galid=abcdzad&dzadzza=dzadzdza"
<br>
curl <a class="moz-txt-link-freetext" href="http://192.168.1.1/abcd.php">http://192.168.1.1/abcd.php</a> --data
"galid=abcdzad&dzadzza=dzadzdza"
<br>
<br>
Joigned my two pcap for replaying.
<br>
No suricata error.
<br>
Disabled cksum validation.
<br>
<br>
Im sure Im totaly wrong but if someone check/confirm please ? if
ok Im open a new redmine ticket.
<br>
Of course, snort always fire.
<br>
Regards
<br>
Rmkml
<br>
<br>
<a class="moz-txt-link-freetext" href="http://twitter.com/rmkml">http://twitter.com/rmkml</a><br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Oisf-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a></pre>
</blockquote>
<br>
</body>
</html>