<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>http_uri is a stream keyword; without the three-way-handshake,
the buffer won't be populated and inspected (unless
stream.midstream is set to true).</p>
<p>Also, I don't see the string "../" in the pcaps so the attached
rules will never match. Realize too that the http_uri buffer is
normalized so if you try to match "../" in that buffer (you aren't
in the provided rules), it will likely be normalized out and not
match.<br>
</p>
<p>-David<br>
</p>
<div class="moz-cite-prefix">On 11/25/19 12:14 PM, Eric Urban wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE-rCTYcNsj4XkmoOAZUsPL5RLDXE_VwWzaBkWz3MSn2=GTxMg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>For your first concern about the pcap only having the
single packet vs the stream do you have the stream.midstream
option set to true in your config?</div>
<div><br>
</div>
<div><a
href="https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine"
moz-do-not-send="true">https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine</a><br>
</div>
<div><br>
</div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><span
style="color:rgb(0,0,0);font-family:"Helvetica
Neue",Helvetica,sans-serif;font-size:small;white-space:nowrap">-- </span></div>
<div dir="ltr"><span
style="color:rgb(0,0,0);font-family:"Helvetica
Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;white-space:nowrap">Eric
Urban</span><br>
</div>
<div dir="ltr"><span
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University
Information Security |
Office of Information
Technology | </span><a
href="http://it.umn.edu/"
style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
target="_blank"
moz-do-not-send="true">it.umn.edu</a><br
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">
<span
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University
of Minnesota | </span><a
href="http://umn.edu/"
style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
target="_blank"
moz-do-not-send="true">umn.edu</a><br
style="color:rgb(0,0,0);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">
<a
href="mailto:eurban@umn.edu"
style="color:rgb(17,85,204);font-family:'Helvetica
Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"
target="_blank"
moz-do-not-send="true">eurban@umn.edu</a><font
style="color:rgb(136,136,136);font-size:12.8px" face="verdana,
sans-serif"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Nov 25, 2019 at
10:37 AM David Wharton <<a
href="mailto:oisf@davidwharton.us" moz-do-not-send="true">oisf@davidwharton.us</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Can you share the pcaps and rules you are testing
with? I can make a pretty good guess as to what is
going on but it'd be easier to explain with the pcaps.</p>
<p>Thanks.<br>
</p>
<p>-David<br>
</p>
<div>On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello everyone,</div>
<div><br>
</div>
<div>I'm running Suricata with a pcap file as input to
test some rules at detecting a specific packet. The
problem is that when the input pcap file has only
the packet i'm interested in, Suricata doesn't alert
anything, it only alerts when the input file has the
whole tcp stream. I tried to include flow:
stateless, flow: no_stream and some other flow
option values to the rule, but it didn't change the
result. What should i do?</div>
<div><br>
</div>
<div>Another point is that even with the whole tcp
stream, suricata only alerts when one specific
content option in the rule has the http_uri
modifier. <br>
</div>
<div><br>
</div>
<div>This is the rule that works with the whole tcp
stream:<br>
alert tcp any any -> any any (msg:"Testing rule
0"; content: "GET "; content: "/cron.php?"; content:
"include_path="; http_uri; content: "../";
sid:1099019;)</div>
<div><br>
</div>
<div>If i remove the http_uri, it stops alerting. Why?<br>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a>
Site: <a href="http://suricata-ids.org" target="_blank" moz-do-not-send="true">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a href="https://suricon.net" target="_blank" moz-do-not-send="true">https://suricon.net</a>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a></pre>
</blockquote>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://suricata-ids.org</a>
| Support: <a href="http://suricata-ids.org/support/"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
List: <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer"
target="_blank" moz-do-not-send="true">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a></blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
</blockquote>
</body>
</html>