<div dir="ltr">I'm testing a build of 1.4.4 (with napatech support) and it seems like none of the app layer protocols are working. My ip / tcp rules alert just fine. I also have zero byte http and tls logs despite them both being enabled so I think it's a bit deeper than a rule misconfiguration nonetheless I'll put an example below. Has anyone seen this type of behavior before? <div>
<br></div><div><br><div style>Here are sample rules: </div><div style><div>alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett"; http_header; nocase; classtype:policy-violation; sid:1; rev:1;) # Never alerts</div>
<div>alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett"; nocase; classtype:policy-violation; sid:2; rev:1;) # Always alerts</div><div><br></div><div style>
Here is the GET request:</div><div style><div>--request begin---</div><div>GET /stuff/index.html HTTP/1.0</div><div>User-Agent: scarlett</div><div>Accept: */*</div><div>Host: <a href="http://blah.myserver.com">blah.myserver.com</a></div>
<div>Connection: Keep-Alive</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>This is Suricata version 1.4.4 RELEASE<br></div><div><br></div><div style>BUILD INFO</div><div style><div>This is Suricata version 1.4.4 RELEASE</div>
<div>Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON </div><div>64-bits, Little-endian architecture</div>
<div>GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8</div>
<div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16</div><div>compiled with libhtp 0.2.14, linked against 0.2.14</div><div>Suricata Configuration:</div><div> AF_PACKET support: yes</div><div> PF_RING support: no</div>
<div> NFQueue support: no</div><div> IPFW support: no</div><div> DAG enabled: no</div><div> Napatech enabled: yes</div>
<div> Unix socket enabled: yes</div><div><br></div><div> libnss support: no</div><div> libnspr support: no</div><div> libjansson support: yes</div>
<div> Prelude support: no</div><div> PCRE jit: yes</div><div> libluajit: yes</div><div> libgeoip: yes</div>
<div> Non-bundled htp: no</div><div> Old barnyard2 support: no</div><div> CUDA enabled: no</div><div><br></div><div> Suricatasc install: yes</div>
<div><br></div><div> Unit tests enabled: no</div><div> Debug output enabled: no</div><div> Debug validation enabled: no</div><div> Profiling enabled: no</div>
<div> Profiling locks enabled: no</div><div><br></div><div>Generic build parameters:</div><div> Installation prefix (--prefix): /opt/suricata</div><div> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/</div>
<div> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/</div><div><br></div><div> Host: x86_64-unknown-linux-gnu</div><div> GCC binary: gcc</div>
<div> GCC Protect enabled: no</div><div> GCC march native enabled: yes</div><div> GCC Profile enabled: no</div><div><br></div><div><div>=========Supported App Layer Protocols=========</div>
<div>http</div><div>ftp</div><div>smtp</div><div>tls</div><div>ssh</div><div>imap</div><div>msn</div><div>smb</div><div>smb2</div><div>dcerpc</div><div>dcerpcudp</div><div>=====</div></div><div><br></div><div><br></div><div style>
Thanks,<br>Dan</div><div><br></div></div></div></div></div></div>