
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p>Can you share the pcaps and rules you are testing with?  I can

      make a pretty good guess as to what is going on but it'd be easier

      to explain with the pcaps.</p>

    <p>Thanks.<br>

    </p>

    <p>-David<br>

    </p>

    <div class="moz-cite-prefix">On 11/24/19 7:08 PM, Lucas Augusto Mota

      de Alcantara wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAGbMLi7d_YWAJyH212_sOqtm_TxwgTFBsgPoZUJJnX4Lq8xpLw@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div>Hello everyone,</div>

        <div><br>

        </div>

        <div>I'm running Suricata with a pcap file as input to test some

          rules at detecting a specific packet. The problem is that when

          the input pcap file has only the packet i'm interested in,

          Suricata doesn't alert anything, it only alerts when the input

          file has the whole tcp stream. I tried to include flow:

          stateless, flow: no_stream and some other flow option values

          to the rule, but it didn't change the result. What should i

          do?</div>

        <div><br>

        </div>

        <div>Another point is that even with the whole tcp stream,

          suricata only alerts when one specific content option in the

          rule has the http_uri modifier. <br>

        </div>

        <div><br>

        </div>

        <div>This is the rule that works with the whole tcp stream:<br>

          alert tcp any any -> any any (msg:"Testing rule 0";

          content: "GET "; content: "/cron.php?"; content:

          "include_path="; http_uri; content: "../"; sid:1099019;)</div>

        <div><br>

        </div>

        <div>If i remove the http_uri, it stops alerting. Why?<br>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>


Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>

Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>

    </blockquote>

  </body>

</html>