[Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?

ZhouLi zhou.li at ca-jc.com
Sat Apr 16 10:51:20 UTC 2011


Thanks!  suricata version is 1.1beta2 (rev d9e5413),
the following is pcap output:

using curl:

17:37:14.973939 IP 192.168.88.108.45459 > 192.168.88.1.http: S 
445330179:445330179(0) win 5840 <mss 1460,sackOK,timestamp 24101879 
0,nop,wscale 6>
        0x0000:  4500 003c f0f4 4000 4006 1809 c0a8 586c  E..<.. at .@.....Xl
        0x0010:  c0a8 5801 b193 0050 1a8b 3303 0000 0000  ..X....P..3.....
        0x0020:  a002 16d0 3a9a 0000 0204 05b4 0402 080a  ....:...........
        0x0030:  016f c3f7 0000 0000 0103 0306            .o..........
17:37:14.974123 IP 192.168.88.1.http > 192.168.88.108.45459: S 
907064963:907064963(0) ack 445330180 win 57344 <mss 1460,nop,wscale 
0,nop,nop,timestamp 37614415 24101879>
        0x0000:  4500 003c 7fb1 4000 4006 894c c0a8 5801  E..<.. at .@..L..X.
        0x0010:  c0a8 586c 0050 b193 3610 b683 1a8b 3304  ..Xl.P..6.....3.
        0x0020:  a012 e000 923e 0000 0204 05b4 0103 0300  .....>..........
        0x0030:  0101 080a 023d f34f 016f c3f7            .....=.O.o..
17:37:14.974323 IP 192.168.88.108.45459 > 192.168.88.1.http: . ack 1 win 92 
<nop,nop,timestamp 24101880 37614415>
        0x0000:  4500 0034 f0f5 4000 4006 1810 c0a8 586c  E..4.. at .@.....Xl
        0x0010:  c0a8 5801 b193 0050 1a8b 3304 3610 b684  ..X....P..3.6...
        0x0020:  8010 005c 9da6 0000 0101 080a 016f c3f8  ...\.........o..
        0x0030:  023d f34f                                .=.O
17:37:14.975022 IP 192.168.88.108.45459 > 192.168.88.1.http: P 1:142(141) 
ack 1 win 92 <nop,nop,timestamp 24101882 37614415>
        0x0000:  4500 00c1 f0f6 4000 4006 1782 c0a8 586c  E..... at .@.....Xl
        0x0010:  c0a8 5801 b193 0050 1a8b 3304 3610 b684  ..X....P..3.6...
        0x0020:  8018 005c fd16 0000 0101 080a 016f c3fa  ...\.........o..
        0x0030:  023d f34f 4745 5420 2f76 6972 7573 2f42  .=.OGET./virus/B
        0x0040:  6163 6b64 6f6f 725f 5161 7a2e 412e 4558  ackdoor_Qaz.A.EX
        0x0050:  4520 4854 5450 2f31 2e30 0d0a 5573 6572  E.HTTP/1.0..User
        0x0060:  2d41 6765 6e74 3a20 5767 6574 2f31 2e31  -Agent:.Wget/1.1
        0x0070:  312e 3420 5265 6420 4861 7420 6d6f 6469  1.4.Red.Hat.modi
        0x0080:  6669 6564 0d0a 4163 6365 7074 3a20 2a2f  fied..Accept:.*/
        0x0090:  2a0d 0a48 6f73 743a 206d 312e 6361 2d6a  *..Host:.m1.ca-j
        0x00a0:  632e 636f 6d0d 0a43 6f6e 6e65 6374 696f  c.com..Connectio
        0x00b0:  6e3a 204b 6565 702d 416c 6976 650d 0a0d  n:.Keep-Alive...
        0x00c0:  0a
17:37:14.976419 IP 192.168.88.1.http > 192.168.88.108.45459: P 1:307(306) 
ack 142 win 57920 <nop,nop,timestamp 37614415 24101882>
        0x0000:  4500 0166 7fb2 4000 4006 8821 c0a8 5801  E..f.. at .@..!..X.
        0x0010:  c0a8 586c 0050 b193 3610 b684 1a8b 3391  ..Xl.P..6.....3.
        0x0020:  8018 e240 eb45 0000 0101 080a 023d f34f  ... at .E.......=.O
        0x0030:  016f c3fa 4854 5450 2f31 2e31 2032 3030  .o..HTTP/1.1.200
        0x0040:  204f 4b0d 0a44 6174 653a 2046 7269 2c20  .OK..Date:.Fri,.
        0x0050:  3135 2041 7072 2032 3031 3120 3039 3a34  15.Apr.2011.09:4
        0x0060:  323a 3135 2047 4d54 0d0a 5365 7276 6572  2:15.GMT..Server
        0x0070:  3a20 4170 6163 6865 2f32 2e30 2e34 3720  :.Apache/2.0.47.
        0x0080:  2855 6e69 7829 0d0a 4c61 7374 2d4d 6f64  (Unix)..Last-Mod
        0x0090:  6966 6965 643a 2054 6875 2c20 3136 204a  ified:.Thu,.16.J
        0x00a0:  756e 2032 3030 3520 3039 3a30 333a 3433  un.2005.09:03:43
        0x00b0:  2047 4d54 0d0a 4554 6167 3a20 2235 3362  .GMT..ETag:."53b
        0x00c0:  6438 652d 3164 3630 302d 3235 3664 6239  d8e-1d600-256db9
        0x00d0:  6330 220d 0a41 6363 6570 742d 5261 6e67  c0"..Accept-Rang
        0x00e0:  6573 3a20 6279 7465 730d 0a43 6f6e 7465  es:.bytes..Conte
        0x00f0:  6e74 2d4c 656e 6774 683a 2031 3230 3332  nt-Length:.12032
        0x0100:  300d 0a4b 6565 702d 416c 6976 653a 2074  0..Keep-Alive:.t
        0x0110:  696d 656f 7574 3d31 352c 206d 6178 3d31  imeout=15,.max=1
        0x0120:  3030 0d0a 436f 6e6e 6563 7469 6f6e 3a20  00..Connection:.
        0x0130:  4b65 6570 2d41 6c69 7665 0d0a 436f 6e74  Keep-Alive..Cont
        0x0140:  656e 742d 5479 7065 3a20 6170 706c 6963  ent-Type:.applic
        0x0150:  6174 696f 6e2f 6f63 7465 742d 7374 7265  ation/octet-stre
        0x0160:  616d 0d0a 0d0a
17:37:14.976669 IP 192.168.88.108.45459 > 192.168.88.1.http: . ack 307 win 
108 <nop,nop,timestamp 24101886 37614415>
        0x0000:  4500 0034 f0f7 4000 4006 180e c0a8 586c  E..4.. at .@.....Xl
        0x0010:  c0a8 5801 b193 0050 1a8b 3391 3610 b7b6  ..X....P..3.6...
        0x0020:  8010 006c 9bd1 0000 0101 080a 016f c3fe  ...l.........o..
        0x0030:  023d f34f
17:37:14.976672 IP 192.168.88.1.http > 192.168.88.108.45459: . 
307:1755(1448) ack 142 win 57920 <nop,nop,timestamp 37614415 24101882>
        0x0000:  4500 05dc 7fb3 4000 4006 83aa c0a8 5801  E..... at .@.....X.
        0x0010:  c0a8 586c 0050 b193 3610 b7b6 1a8b 3391  ..Xl.P..6.....3.
        0x0020:  8010 e240 d518 0000 0101 080a 023d f34f  ... at .........=.O
        0x0030:  016f c3fa 4d5a 9000 0300 0000 0400 0000  .o..MZ..........
        0x0040:  ffff 0000 b800 0000 0000 0000 4000 0000  ............ at ...
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  8000 0000 0e1f ba0e 00b4 09cd 21b8 014c  ............!..L
        0x0080:  cd21 5468 6973 2070 726f 6772 616d 2063  .!This.program.c
        0x0090:  616e 6e6f 7420 6265 2072 756e 2069 6e20  annot.be.run.in.
        0x00a0:  444f 5320 6d6f 6465 2e0d 0d0a 2400 0000  DOS.mode....$...
        0x00b0:  0000 0000 5045 0000 4c01 0600 d778 4439  ....PE..L....xD9
        0x00c0:  0000 0000 0000 0000 e000 0a01 0b01 0500  ................
        0x00d0:  004c 0100 009e 0000 0000 0000 203d 0000  .L...........=..
        0x00e0:  0010 0000 0060 0100 0000 4000 0010 0000  .....`.... at .....
        0x00f0:  0002 0000 0400 0000 0000 0000 0400 0000  ................
        0x0100:  0000 0000 0020 0200 0004 0000 0000 0000  ................
        0x0110:  0200 0000 0000 1000 0010 0000 0000 1000  ................
        .
        .
        .


using IE:
17:56:12.253588 IP 192.168.88.1.http > 192.168.88.194.aic-oncrpc: F 
2555400009:2555400009(0) ack 369119585 win 57960
        0x0000:  4500 0028 e7a0 4000 4006 211b c0a8 5801  E..(.. at .@.!...X.
        0x0010:  c0a8 58c2 0050 0ae2 9850 4f49 1600 5161  ..X..P...POI..Qa
        0x0020:  5011 e268 4129 0000 0000 0000 0000       P..hA)........
17:56:12.253772 IP 192.168.88.194.aic-oncrpc > 192.168.88.1.http: . ack 1 
win 64495
        0x0000:  4500 0028 a642 4000 8006 2279 c0a8 58c2  E..(.B at ..."y..X.
        0x0010:  c0a8 5801 0ae2 0050 1600 5161 9850 4f4a  ..X....P..Qa.POJ
        0x0020:  5010 fbef 27a2 0000 0000 0000 0000       P...'.........
17:56:12.263456 IP 192.168.88.1.http > 192.168.88.194.aic-np: F 
2619006725:2619006725(0) ack 4174295162 win 57960
        0x0000:  4500 0028 e7a1 4000 4006 211a c0a8 5801  E..(.. at .@.!...X.
        0x0010:  c0a8 58c2 0050 0ae1 9c1a df05 f8ce b07a  ..X..P.........z
        0x0020:  5011 e268 6bbb 0000 0000 0000 0000       P..hk.........
17:56:12.263605 IP 192.168.88.194.aic-np > 192.168.88.1.http: . ack 1 win 
64328
        0x0000:  4500 0028 a643 4000 8006 2278 c0a8 58c2  E..(.C at ..."x..X.
        0x0010:  c0a8 5801 0ae1 0050 f8ce b07a 9c1a df06  ..X....P...z....
        0x0020:  5010 fb48 52db 0000 0000 0000 0000       P..HR.........
17:56:14.770380 IP 192.168.88.194.aic-oncrpc > 192.168.88.1.http: F 1:1(0) 
ack 1 win 64495
        0x0000:  4500 0028 a644 4000 8006 2277 c0a8 58c2  E..(.D at ..."w..X.
        0x0010:  c0a8 5801 0ae2 0050 1600 5161 9850 4f4a  ..X....P..Qa.POJ
        0x0020:  5011 fbef 27a1 0000 0000 0000 0000       P...'.........
17:56:14.770530 IP 192.168.88.194.aic-np > 192.168.88.1.http: F 1:1(0) ack 1 
win 64328
        0x0000:  4500 0028 a645 4000 8006 2276 c0a8 58c2  E..(.E at ..."v..X.
        0x0010:  c0a8 5801 0ae1 0050 f8ce b07a 9c1a df06  ..X....P...z....
        0x0020:  5011 fb48 52da 0000 0000 0000 0000       P..HR.........
17:56:14.770534 IP 192.168.88.1.http > 192.168.88.194.aic-oncrpc: . ack 2 
win 57960
        0x0000:  4500 0028 e7a2 4000 4006 2119 c0a8 5801  E..(.. at .@.!...X.
        0x0010:  c0a8 58c2 0050 0ae2 9850 4f4a 1600 5162  ..X..P...POJ..Qb
        0x0020:  5010 e268 4128 0000 0000 0000 0000       P..hA(........
17:56:14.770630 IP 192.168.88.1.http > 192.168.88.194.aic-np: . ack 2 win 
57960
        0x0000:  4500 0028 e7a3 4000 4006 2118 c0a8 5801  E..(.. at .@.!...X.
        0x0010:  c0a8 58c2 0050 0ae1 9c1a df06 f8ce b07b  ..X..P.........{
        0x0020:  5010 e268 6bba 0000 0000 0000 0000       P..hk.........
17:56:14.773076 IP 192.168.88.194.piccolo > 192.168.88.1.http: S 
1112711939:1112711939(0) win 65535 <mss 1260,nop,nop,sackOK>
        0x0000:  4500 0030 a646 4000 8006 226d c0a8 58c2  E..0.F at ..."m..X.
        0x0010:  c0a8 5801 0ae3 0050 4252 a303 0000 0000  ..X....PBR......
        0x0020:  7002 ffff 614a 0000 0204 04ec 0101 0402  p...aJ..........
17:56:14.773226 IP 192.168.88.1.http > 192.168.88.194.piccolo: S 
2494653860:2494653860(0) ack 1112711940 win 57344 <mss 1460>
        0x0000:  4500 002c e7a4 4000 4006 2113 c0a8 5801  E..,.. at .@.!...X.
        0x0010:  c0a8 58c2 0050 0ae3 94b1 65a4 4252 a304  ..X..P....e.BR..
        0x0020:  6012 e000 9b21 0000 0204 05b4 0000       `....!........
17:56:14.773326 IP 192.168.88.194.piccolo > 192.168.88.1.http: . ack 1 win 
65535
        0x0000:  4500 0028 a647 4000 8006 2274 c0a8 58c2  E..(.G at ..."t..X.
        0x0010:  c0a8 5801 0ae3 0050 4252 a304 94b1 65a5  ..X....PBR....e.
        0x0020:  5010 ffff 92df 0000 0000 0000 0000       P.............
17:56:14.777768 IP 192.168.88.194.piccolo > 192.168.88.1.http: P 1:265(264) 
ack 1 win 65535
        0x0000:  4500 0130 a649 4000 8006 216a c0a8 58c2  E..0.I at ...!j..X.
        0x0010:  c0a8 5801 0ae3 0050 4252 a304 94b1 65a5  ..X....PBR....e.
        0x0020:  5018 ffff 1fcf 0000 4745 5420 2f76 6972  P.......GET./vir
        0x0030:  7573 2f42 6163 6b64 6f6f 725f 5161 7a2e  us/Backdoor_Qaz.
        0x0040:  412e 4558 4520 4854 5450 2f31 2e31 0d0a  A.EXE.HTTP/1.1..
        0x0050:  4163 6365 7074 3a20 2a2f 2a0d 0a41 6363  Accept:.*/*..Acc
        0x0060:  6570 742d 456e 636f 6469 6e67 3a20 677a  ept-Encoding:.gz
        0x0070:  6970 2c20 6465 666c 6174 650d 0a55 7365  ip,.deflate..Use
        0x0080:  722d 4167 656e 743a 204d 6f7a 696c 6c61  r-Agent:.Mozilla
        0x0090:  2f34 2e30 2028 636f 6d70 6174 6962 6c65  /4.0.(compatible
        0x00a0:  3b20 4d53 4945 2036 2e30 3b20 5769 6e64  ;.MSIE.6.0;.Wind
        0x00b0:  6f77 7320 4e54 2035 2e31 3b20 5356 313b  ows.NT.5.1;.SV1;
        0x00c0:  202e 4e45 5420 434c 5220 322e 302e 3530  ..NET.CLR.2.0.50
        0x00d0:  3732 373b 202e 4e45 5420 434c 5220 332e  727;..NET.CLR.3.
        0x00e0:  302e 3435 3036 2e32 3135 323b 202e 4e45  0.4506.2152;..NE
        0x00f0:  5420 434c 5220 332e 352e 3330 3732 3929  T.CLR.3.5.30729)
        0x0100:  0d0a 486f 7374 3a20 3139 322e 3136 382e  ..Host:.192.168.
        0x0110:  3838 2e31 0d0a 436f 6e6e 6563 7469 6f6e  88.1..Connection
        0x0120:  3a20 4b65 6570 2d41 6c69 7665 0d0a 0d0a  :.Keep-Alive....

17:56:14.779215 IP 192.168.88.1.http > 192.168.88.194.piccolo: P 1:307(306) 
ack 265 win 57960
        0x0000:  4500 015a e7a5 4000 4006 1fe4 c0a8 5801  E..Z.. at .@.....X.
        0x0010:  c0a8 58c2 0050 0ae3 94b1 65a5 4252 a40c  ..X..P....e.BR..
        0x0020:  5018 e268 df8e 0000 4854 5450 2f31 2e31  P..h....HTTP/1.1
        0x0030:  2032 3030 204f 4b0d 0a44 6174 653a 2046  .200.OK..Date:.F
        0x0040:  7269 2c20 3135 2041 7072 2032 3031 3120  ri,.15.Apr.2011.
        0x0050:  3130 3a30 313a 3135 2047 4d54 0d0a 5365  10:01:15.GMT..Se
        0x0060:  7276 6572 3a20 4170 6163 6865 2f32 2e30  rver:.Apache/2.0
        0x0070:  2e34 3720 2855 6e69 7829 0d0a 4c61 7374  .47.(Unix)..Last
        0x0080:  2d4d 6f64 6966 6965 643a 2054 6875 2c20  -Modified:.Thu,.
        0x0090:  3136 204a 756e 2032 3030 3520 3039 3a30  16.Jun.2005.09:0
        0x00a0:  333a 3433 2047 4d54 0d0a 4554 6167 3a20  3:43.GMT..ETag:.
        0x00b0:  2235 3362 6438 652d 3164 3630 302d 3235  "53bd8e-1d600-25
        0x00c0:  3664 6239 6330 220d 0a41 6363 6570 742d  6db9c0"..Accept-
        0x00d0:  5261 6e67 6573 3a20 6279 7465 730d 0a43  Ranges:.bytes..C
        0x00e0:  6f6e 7465 6e74 2d4c 656e 6774 683a 2031  ontent-Length:.1
        0x00f0:  3230 3332 300d 0a4b 6565 702d 416c 6976  20320..Keep-Aliv
        0x0100:  653a 2074 696d 656f 7574 3d31 352c 206d  e:.timeout=15,.m
        0x0110:  6178 3d31 3030 0d0a 436f 6e6e 6563 7469  ax=100..Connecti
        0x0120:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
        0x0130:  436f 6e74 656e 742d 5479 7065 3a20 6170  Content-Type:.ap
        0x0140:  706c 6963 6174 696f 6e2f 6f63 7465 742d  plication/octet-
        0x0150:  7374 7265 616d 0d0a 0d0a                 stream....
17:56:14.779415 IP 192.168.88.1.http > 192.168.88.194.piccolo: . 
307:1567(1260) ack 265 win 57960
        0x0000:  4500 0514 e7a6 4000 4006 1c29 c0a8 5801  E..... at .@..)..X.
        0x0010:  c0a8 58c2 0050 0ae3 94b1 66d7 4252 a40c  ..X..P....f.BR..
        0x0020:  5010 e268 7f34 0000 4d5a 9000 0300 0000  P..h.4..MZ......
        0x0030:  0400 0000 ffff 0000 b800 0000 0000 0000  ................
        0x0040:  4000 0000 0000 0000 0000 0000 0000 0000  @...............
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 8000 0000 0e1f ba0e 00b4 09cd  ................
        0x0070:  21b8 014c cd21 5468 6973 2070 726f 6772  !..L.!This.progr
        0x0080:  616d 2063 616e 6e6f 7420 6265 2072 756e  am.cannot.be.run
        0x0090:  2069 6e20 444f 5320 6d6f 6465 2e0d 0d0a  .in.DOS.mode....
        0x00a0:  2400 0000 0000 0000 5045 0000 4c01 0600  $.......PE..L...
        0x00b0:  d778 4439 0000 0000 0000 0000 e000 0a01  .xD9............
        0x00c0:  0b01 0500 004c 0100 009e 0000 0000 0000  .....L..........
        0x00d0:  203d 0000 0010 0000 0060 0100 0000 4000  .=.......`.... at .
        0x00e0:  0010 0000 0002 0000 0400 0000 0000 0000  ................
        0x00f0:  0400 0000 0000 0000 0020 0200 0004 0000  ................
        0x0100:  0000 0000 0200 0000 0000 1000 0010 0000  ................
        0x0110:  0000 1000 0010 0000 0000 0000 1000 0000  ................
        0x0120:  0000 0000 0000 0000 00e0 0100 a000 0000  ................
        0x0130:  00f0 0100 1b08 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000 0000 0200 140f 0000  ................
        .
        .
        .


----- Original Message ----- 
From: "Victor Julien" <victor at inliniac.net>
To: <oisf-devel at openinfosecfoundation.org>
Sent: Saturday, April 16, 2011 5:35 PM
Subject: Re: [Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?


> Can you share a pcap?
>
> Btw, what Suricata version are you using?
>
> On 04/16/2011 11:29 AM, ZhouLi wrote:
>>   With --enable-debug, I found the packet been ignored by STREAM_GAP,  I 
>> think it's a bug.
>>
>> //ZhouLi
>>   ----- Original Message ----- 
>>   From: ZhouLi
>>   To: oisf-devel at openinfosecfoundation.org
>>   Sent: Saturday, April 16, 2011 11:50 AM
>>   Subject: [Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?
>>
>>
>>   Hi, Victor
>>
>>     I am writing some testing code for suricata with clamav and I got a 
>> error log when GET a .exe file by wget or curl, it
>>   won't occour when using IE to GET a .exe file. using tcpdump and found 
>> the log will be trigger when the first chunk packet
>>   arrive. bug?
>>     error log just like this,
>>   (app-layer-parser.c:943) <Error> (AppLayerParse) -- [ERRCODE: 
>> SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app
>>   layer protocol, using network protocol 6, source IP address 
>> 192.168.88.108, destination IP address 192.168.88.1, src port
>>   36047 and dst port 80
>>
>>   //ZhouLi
>>
>>   ____ KILL Mail Shield Gateway scanned ____
>>
>>   ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>   _______________________________________________
>>   Oisf-devel mailing list
>>   Oisf-devel at openinfosecfoundation.org
>>   http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>   ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>> ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ____ KILL Mail Shield Gateway scanned ____
>
>


--------------------------------------------------------------------------------


> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> ____ KILL Mail Shield Gateway scanned ____
>
> 




____ KILL Mail Shield Gateway scanned ____





More information about the Oisf-devel mailing list