<div dir="ltr">Would asymmetric traffic cause the protocol parsers to not get called?  In this deployment, I'm only seeing the inbound traffic.<div><br></div><div><br></div><div style>cheers,<br>Dan</div><div style><br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 25, 2013 at 2:42 AM, Dan Murphy <span dir="ltr"><<a href="mailto:dmurphy@defense.net" target="_blank">dmurphy@defense.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">No invalid checksums detected.  To verify further I disabled it in the suricata.yaml and tested again and still not functioning.<div>
<br></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div><div>On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <<a href="mailto:dmurphy@defense.net" target="_blank">dmurphy@defense.net</a>> wrote:<br>
> I'm testing a build of 1.4.4 (with napatech support) and it seems like none<br>
> of the app layer protocols are working.  My ip / tcp rules alert just fine.<br>
> I also have zero byte http and tls logs despite them both being enabled so I<br>
> think it's a bit deeper than a rule misconfiguration nonetheless I'll put an<br>
> example below.  Has anyone seen this type of behavior before?<br>
><br>
><br>
> Here are sample rules:<br>
> alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett";<br>
> http_header; nocase; classtype:policy-violation; sid:1; rev:1;)  # Never<br>
> alerts<br>
> alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";<br>
> nocase; classtype:policy-violation; sid:2; rev:1;)                        #<br>
> Always alerts<br>
><br>
> Here is the GET request:<br>
> --request begin---<br>
> GET /stuff/index.html HTTP/1.0<br>
> User-Agent: scarlett<br>
> Accept: */*<br>
> Host: <a href="http://blah.myserver.com" target="_blank">blah.myserver.com</a><br>
> Connection: Keep-Alive<br>
><br>
><br>
><br>
><br>
><br>
> This is Suricata version 1.4.4 RELEASE<br>
><br>
> BUILD INFO<br>
> This is Suricata version 1.4.4 RELEASE<br>
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT<br>
> LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK<br>
> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON<br>
> 64-bits, Little-endian architecture<br>
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901<br>
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1<br>
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2<br>
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4<br>
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8<br>
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16<br>
> compiled with libhtp 0.2.14, linked against 0.2.14<br>
> Suricata Configuration:<br>
>   AF_PACKET support:                       yes<br>
>   PF_RING support:                         no<br>
>   NFQueue support:                         no<br>
>   IPFW support:                            no<br>
>   DAG enabled:                             no<br>
>   Napatech enabled:                        yes<br>
>   Unix socket enabled:                     yes<br>
><br>
>   libnss support:                          no<br>
>   libnspr support:                         no<br>
>   libjansson support:                      yes<br>
>   Prelude support:                         no<br>
>   PCRE jit:                                yes<br>
>   libluajit:                               yes<br>
>   libgeoip:                                yes<br>
>   Non-bundled htp:                         no<br>
>   Old barnyard2 support:                   no<br>
>   CUDA enabled:                            no<br>
><br>
>   Suricatasc install:                      yes<br>
><br>
>   Unit tests enabled:                      no<br>
>   Debug output enabled:                    no<br>
>   Debug validation enabled:                no<br>
>   Profiling enabled:                       no<br>
>   Profiling locks enabled:                 no<br>
><br>
> Generic build parameters:<br>
>   Installation prefix (--prefix):          /opt/suricata<br>
>   Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/<br>
>   Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/<br>
><br>
>   Host:                                    x86_64-unknown-linux-gnu<br>
>   GCC binary:                              gcc<br>
>   GCC Protect enabled:                     no<br>
>   GCC march native enabled:                yes<br>
>   GCC Profile enabled:                     no<br>
><br>
> =========Supported App Layer Protocols=========<br>
> http<br>
> ftp<br>
> smtp<br>
> tls<br>
> ssh<br>
> imap<br>
> msn<br>
> smb<br>
> smb2<br>
> dcerpc<br>
> dcerpcudp<br>
> =====<br>
<br>
</div></div>Can you verify if this solves it for you? -<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions</a><br>
<span><font color="#888888"><br>
--<br>
-------------------------------<br>
Anoop Saldanha<br>
<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>
-------------------------------<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>