<div dir="ltr">In addition ... from looking at the console it looks like the rules load properly. Maybe there's something in there that's meaningful to someone other than me?<div><br></div><div><div>24/7/2013 -- 23:43:38 - <Info> - IP reputation disabled</div>
<div>24/7/2013 -- 23:43:38 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed</div><div>24/7/2013 -- 23:43:38 - <Info> - 2 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only</div>
<div>24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete</div><div>24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure, stage 2: building source address list... complete</div>
<div>24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete</div><div>24/7/2013 -- 23:43:38 - <Info> - Threshold config parsed: 0 rule(s) found</div>
<div>24/7/2013 -- 23:43:38 - <Info> - Live rule swap has swapped 36 old det_ctx's with new ones, along with the new de_ctx</div><div>24/7/2013 -- 23:43:38 - <Info> - cleaning up signature grouping structure... complete</div>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 25, 2013 at 2:42 AM, Dan Murphy <span dir="ltr"><<a href="mailto:dmurphy@defense.net" target="_blank">dmurphy@defense.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">No invalid checksums detected. To verify further I disabled it in the suricata.yaml and tested again and still not functioning.<div>
<br></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <<a href="mailto:dmurphy@defense.net" target="_blank">dmurphy@defense.net</a>> wrote:<br>
> I'm testing a build of 1.4.4 (with napatech support) and it seems like none<br>
> of the app layer protocols are working. My ip / tcp rules alert just fine.<br>
> I also have zero byte http and tls logs despite them both being enabled so I<br>
> think it's a bit deeper than a rule misconfiguration nonetheless I'll put an<br>
> example below. Has anyone seen this type of behavior before?<br>
><br>
><br>
> Here are sample rules:<br>
> alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett";<br>
> http_header; nocase; classtype:policy-violation; sid:1; rev:1;) # Never<br>
> alerts<br>
> alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";<br>
> nocase; classtype:policy-violation; sid:2; rev:1;) #<br>
> Always alerts<br>
><br>
> Here is the GET request:<br>
> --request begin---<br>
> GET /stuff/index.html HTTP/1.0<br>
> User-Agent: scarlett<br>
> Accept: */*<br>
> Host: <a href="http://blah.myserver.com" target="_blank">blah.myserver.com</a><br>
> Connection: Keep-Alive<br>
><br>
><br>
><br>
><br>
><br>
> This is Suricata version 1.4.4 RELEASE<br>
><br>
> BUILD INFO<br>
> This is Suricata version 1.4.4 RELEASE<br>
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT<br>
> LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK<br>
> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON<br>
> 64-bits, Little-endian architecture<br>
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901<br>
> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1<br>
> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2<br>
> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4<br>
> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8<br>
> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16<br>
> compiled with libhtp 0.2.14, linked against 0.2.14<br>
> Suricata Configuration:<br>
> AF_PACKET support: yes<br>
> PF_RING support: no<br>
> NFQueue support: no<br>
> IPFW support: no<br>
> DAG enabled: no<br>
> Napatech enabled: yes<br>
> Unix socket enabled: yes<br>
><br>
> libnss support: no<br>
> libnspr support: no<br>
> libjansson support: yes<br>
> Prelude support: no<br>
> PCRE jit: yes<br>
> libluajit: yes<br>
> libgeoip: yes<br>
> Non-bundled htp: no<br>
> Old barnyard2 support: no<br>
> CUDA enabled: no<br>
><br>
> Suricatasc install: yes<br>
><br>
> Unit tests enabled: no<br>
> Debug output enabled: no<br>
> Debug validation enabled: no<br>
> Profiling enabled: no<br>
> Profiling locks enabled: no<br>
><br>
> Generic build parameters:<br>
> Installation prefix (--prefix): /opt/suricata<br>
> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/<br>
> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/<br>
><br>
> Host: x86_64-unknown-linux-gnu<br>
> GCC binary: gcc<br>
> GCC Protect enabled: no<br>
> GCC march native enabled: yes<br>
> GCC Profile enabled: no<br>
><br>
> =========Supported App Layer Protocols=========<br>
> http<br>
> ftp<br>
> smtp<br>
> tls<br>
> ssh<br>
> imap<br>
> msn<br>
> smb<br>
> smb2<br>
> dcerpc<br>
> dcerpcudp<br>
> =====<br>
<br>
</div></div>Can you verify if this solves it for you? -<br>
<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions</a><br>
<span><font color="#888888"><br>
--<br>
-------------------------------<br>
Anoop Saldanha<br>
<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>
-------------------------------<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>