<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>http_uri is a stream keyword; without the three-way-handshake,
      the buffer won't be populated and inspected (unless
      stream.midstream is set to true).</p>
    <p>Also, I don't see the string "../" in the pcaps so the attached
      rules will never match.  Realize too that the http_uri buffer is
      normalized so if you try to match "../" in that buffer (you aren't
      in the provided rules), it will likely be normalized out and not
      match.<br>
    </p>
    <p>-David<br>
    </p>
    <div class="moz-cite-prefix">On 11/25/19 12:14 PM, Eric Urban wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAE-rCTYcNsj4XkmoOAZUsPL5RLDXE_VwWzaBkWz3MSn2=GTxMg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>For your first concern about the pcap only having the
          single packet vs the stream do you have the stream.midstream
          option set to true in your config?</div>
        <div><br>
        </div>
        <div><a
href="https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine"
            moz-do-not-send="true">https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine</a><br>
        </div>
        <div><br>
        </div>
        <div dir="ltr">
          <div>
            <div dir="ltr" class="gmail_signature"
              data-smartmail="gmail_signature">
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr">
                                        <div dir="ltr">
                                          <div dir="ltr">
                                            <div dir="ltr"><span
                                                style="color:rgb(0,0,0);font-family:"Helvetica
Neue",Helvetica,sans-serif;font-size:small;white-space:nowrap">-- </span></div>
                                            <div dir="ltr"><span
                                                style="color:rgb(0,0,0);font-family:"Helvetica
Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;white-space:nowrap">Eric
                                                Urban</span><br>
                                            </div>
                                            <div dir="ltr"><span
                                                style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University
                                                Information Security |
                                                Office of Information
                                                Technology | </span><a
                                                href="http://it.umn.edu/"
style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
                                                target="_blank"
                                                moz-do-not-send="true">it.umn.edu</a><br
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">
                                              <span
                                                style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University
                                                of Minnesota | </span><a
                                                href="http://umn.edu/"
                                                style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
                                                target="_blank"
                                                moz-do-not-send="true">umn.edu</a><br
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">
                                              <a
                                                href="mailto:eurban@umn.edu"
style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
                                                target="_blank"
                                                moz-do-not-send="true">eurban@umn.edu</a><font
style="color:rgb(136,136,136);font-size:12.8px" face="verdana,
                                                sans-serif"><br>
                                              </font></div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <br>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Mon, Nov 25, 2019 at
            10:37 AM David Wharton <<a
              href="mailto:oisf@davidwharton.us" moz-do-not-send="true">oisf@davidwharton.us</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div bgcolor="#FFFFFF">
              <p>Can you share the pcaps and rules you are testing
                with?  I can make a pretty good guess as to what is
                going on but it'd be easier to explain with the pcaps.</p>
              <p>Thanks.<br>
              </p>
              <p>-David<br>
              </p>
              <div>On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara
                wrote:<br>
              </div>
              <blockquote type="cite">
                <div dir="ltr">
                  <div>Hello everyone,</div>
                  <div><br>
                  </div>
                  <div>I'm running Suricata with a pcap file as input to
                    test some rules at detecting a specific packet. The
                    problem is that when the input pcap file has only
                    the packet i'm interested in, Suricata doesn't alert
                    anything, it only alerts when the input file has the
                    whole tcp stream. I tried to include flow:
                    stateless, flow: no_stream and some other flow
                    option values to the rule, but it didn't change the
                    result. What should i do?</div>
                  <div><br>
                  </div>
                  <div>Another point is that even with the whole tcp
                    stream, suricata only alerts when one specific
                    content option in the rule has the http_uri
                    modifier. <br>
                  </div>
                  <div><br>
                  </div>
                  <div>This is the rule that works with the whole tcp
                    stream:<br>
                    alert tcp any any -> any any (msg:"Testing rule
                    0"; content: "GET "; content: "/cron.php?"; content:
                    "include_path="; http_uri; content: "../";
                    sid:1099019;)</div>
                  <div><br>
                  </div>
                  <div>If i remove the http_uri, it stops alerting. Why?<br>
                  </div>
                </div>
                <br>
                <fieldset></fieldset>
                <pre>_______________________________________________
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a>
Site: <a href="http://suricata-ids.org" target="_blank" moz-do-not-send="true">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a href="https://suricon.net" target="_blank" moz-do-not-send="true">https://suricon.net</a>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a></pre>
              </blockquote>
            </div>
            _______________________________________________<br>
            Suricata IDS Users mailing list: <a
              href="mailto:oisf-users@openinfosecfoundation.org"
              target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
            Site: <a href="http://suricata-ids.org" rel="noreferrer"
              target="_blank" moz-do-not-send="true">http://suricata-ids.org</a>
            | Support: <a href="http://suricata-ids.org/support/"
              rel="noreferrer" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
            List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
              rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
            <br>
            Conference: <a href="https://suricon.net" rel="noreferrer"
              target="_blank" moz-do-not-send="true">https://suricon.net</a><br>
            Trainings: <a href="https://suricata-ids.org/training/"
              rel="noreferrer" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a></blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
    </blockquote>
  </body>
</html>