[Oisf-users] libhtp defaults in suricata.yaml
Eoin Miller
eoin.miller at trojanedbinaries.com
Fri Aug 10 16:11:16 UTC 2012
On 8/10/2012 13:53, Victor Julien wrote:
>
> Can you share sigs (+pcaps) that are not alerting with the default setting?
>
Say like a signature the alerts on if there is an <applet tag in
file_data;. If it isn't in the beginning of file_data, then it won't
fire. So basically any signature that is looking for strings within
file_data; is going to be a false negative if it isn't at the beginning
of file_data.
A good example is Blackhole signatures that I run on our network, they
use a combination of URI request structure matching to set a flowbit and
then look for an <applet tag in the HTTP server response. Since
Blackhole has been putting the <applet tag at the bottom of their long
HTTP responses as of late
Configured with the larger request/response-body-limit values:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 128kb
response-body-limit: 512kb
These signatures will fire and be logged in fast.log:
08/03/2012-17:00:30.081604 [**] [1:5200112:4] AOL DRIVEBY Blackhole -
Landing Page Recieved - applet and flowbit [**] [Classification: (null)]
[Priority: 3] {TCP} 149.47.142.185:80 -> 172.191.33.179:2107
08/03/2012-17:00:30.081604 [**] [1:5900023:3] AOL INFO JAVA - Applet
Tag In HTML [**] [Classification: (null)] [Priority: 3] {TCP}
149.47.142.185:80 -> 172.191.33.179:2107
If I used the standard configuration, none of these alerts fire:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 3072
response-body-limit: 3072
$file fast.log
fast.log: empty
-- Eoin
More information about the Oisf-users
mailing list