<div dir="ltr"><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Vincent Fang</b> <span dir="ltr"><<a href="mailto:vincent.y.fang@gmail.com">vincent.y.fang@gmail.com</a>></span><br>
Date: Thu, Jan 10, 2013 at 4:20 PM<br>Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert<br>To: Eoin Miller <<a href="mailto:eoin.miller@trojanedbinaries.com">eoin.miller@trojanedbinaries.com</a>><br>
<br><br><div dir="ltr">Response to Peter Manav:<div><br></div><div>Immediately after the first visit when I stop suricata, the logs stay the same with fast.log being at 0 bytes with no alerts along with unified2. A weird thing I'm noticing is that the http.log is also at 0 bytes as well even though I see get requests being made and passing through wireshark.<br>
</div><div><br></div><div>I then saved the pcap file called businessweek from wireshark and cleared the logs again and ran suricata in offline pcap mode with the following command</div><div>suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek</div>
<div><br></div><div>and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes in the http.log</div><div><br></div><div>Response to rmkml:</div><div><br></div><div>I tried with wget and the same situation occurs with with the fast.log being 0. I also tried clearing the google cache and restarting the test again, and the same result occurred. I switched browsers to firefox and cleared the cache however, and alerts started popping up in the fast.log, but only if I cleared the cached after already visiting the webpage once, otherwise fast.log would never populate.</div>
<div><br></div><div>The thing that confuses me is what am I seeing in wireshark if it sees http packets matching the destination ip address? Or because it's all running on a local box, a special scenario occurs?</div>
<div><br></div><div><br></div><div>Response to Eoin Miller:</div><div><br></div><div>Changing the rule to tcp did not affect the outcome, and wiresharks didn't match the filter</div><div>
tcp && ip.dst == <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a></div><div><br></div><div><br></div><div>So it looks like I get the correct results with Firefox if the cache is cleared, but what exactly is going on if I see matching http packets in wireshark with the matching ip destination?</div>
<div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 10, 2013 at 3:34 PM, Eoin Miller <span dir="ltr"><<a href="mailto:eoin.miller@trojanedbinaries.com" target="_blank">eoin.miller@trojanedbinaries.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 1/10/2013 19:57, Vincent Fang wrote:<br>
><br>
> alert http any any -> <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a> <<a href="http://207.86.164.0/24" target="_blank">http://207.86.164.0/24</a>> any (msg:<br>
> "visiting businessweek")<br>
<br>
Maybe try alert tcp instead of alert http.<br>
<span><font color="#888888"><br>
-- Eoin<br>
</font></span><div><div>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>
</div></div></div><br></div>