<div dir="ltr">I'm seeing an issue where this simple content rule:<div>alert tcp any any -> any any (msg:"test pattern"; content:"attack"; sid:2013102104; rev:2;)</div><div><br></div><div>and this simple wget:</div>
<div>wget --debug -O - <a href="http://x.x.x.x/attack">http://x.x.x.x/attack</a><br></div><div><div><br></div><div>GET /attack HTTP/1.0</div><div>User-Agent: Wget/1.12 (linux-gnu)</div><div>Accept: */*</div><div>Host: x.x.x.x</div>
<div>Connection: Keep-Alive</div></div><div><br></div><div><br></div><div>This matches 100% of the time from any test host if I set "async-oneside: false" in my stream configuration section. However if I set "async-oneside: true", certain hosts firing off that same wget never trigger the rule. So the behavior is such that.. if it fires when you do a wget from test host A ... It is consistent and will always fire and the inverse is also true. My guess is that there's something slightly different going across the wire despite the identical HTTP requests...</div>
<div>I took some raw pcaps of a match and a fail but nothing jumped out at me (not that it would without understanding the decision tree of the code)</div><div><br></div><div>... and before someone says it ...</div><div>We do not see symmetric traffic flows which is why I was using async-oneside: true. I was hoping to take advantage of some of the L7 capabilities. Obviously if the disease is worse than the cure, I'll leave it at false and stick with straight payload matching in tcp/udp.</div>
<div><br></div><div>I guess my questions are twofold:</div><div><br></div><div>1.) Is anyone else using async-ondeside and has observed this or similar behavior</div><div><br></div><div>2.) What is really the best way to start debugging why a rule ISN'T firing?</div>
<div><br></div><div><br></div><div>I pasted my build info below for those interested.</div><div><br></div><div>Thanks,<br>Dan</div><div>irc(danm)</div><div><br></div><div><br><div><br></div><div><br></div><div><div>This is Suricata version 1.4.5 RELEASE</div>
<div>Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON </div><div>64-bits, Little-endian architecture</div>
<div>GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4</div><div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8</div>
<div> __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16</div><div>compiled with libhtp 0.2.14, linked against 0.2.14</div><div>Suricata Configuration:</div><div> AF_PACKET support: yes</div><div> PF_RING support: no</div>
<div> NFQueue support: no</div><div> IPFW support: no</div><div> DAG enabled: no</div><div> Napatech enabled: yes</div>
<div> Unix socket enabled: yes</div><div><br></div><div> libnss support: no</div><div> libnspr support: no</div><div> libjansson support: yes</div>
<div> Prelude support: no</div><div> PCRE jit: yes</div><div> libluajit: yes</div><div> libgeoip: yes</div>
<div> Non-bundled htp: no</div><div> Old barnyard2 support: no</div><div> CUDA enabled: no</div><div><br></div><div> Suricatasc install: yes</div>
<div><br></div><div> Unit tests enabled: no</div><div> Debug output enabled: no</div><div> Debug validation enabled: no</div><div> Profiling enabled: no</div>
<div> Profiling locks enabled: no</div><div><br></div><div>Generic build parameters:</div><div> Installation prefix (--prefix): /opt/suricata</div><div> Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/</div>
<div> Log directory (--localstatedir) : /opt/suricata/var/log/suricata/</div><div><br></div><div> Host: x86_64-unknown-linux-gnu</div><div> GCC binary: gcc</div>
<div> GCC Protect enabled: no</div><div> GCC march native enabled: yes</div><div> GCC Profile enabled: no</div></div></div></div>