[Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?
ZhouLi
zhou.li at ca-jc.com
Sat Apr 16 10:51:20 UTC 2011
Thanks! suricata version is 1.1beta2 (rev d9e5413),
the following is pcap output:
using curl:
17:37:14.973939 IP 192.168.88.108.45459 > 192.168.88.1.http: S
445330179:445330179(0) win 5840 <mss 1460,sackOK,timestamp 24101879
0,nop,wscale 6>
0x0000: 4500 003c f0f4 4000 4006 1809 c0a8 586c E..<.. at .@.....Xl
0x0010: c0a8 5801 b193 0050 1a8b 3303 0000 0000 ..X....P..3.....
0x0020: a002 16d0 3a9a 0000 0204 05b4 0402 080a ....:...........
0x0030: 016f c3f7 0000 0000 0103 0306 .o..........
17:37:14.974123 IP 192.168.88.1.http > 192.168.88.108.45459: S
907064963:907064963(0) ack 445330180 win 57344 <mss 1460,nop,wscale
0,nop,nop,timestamp 37614415 24101879>
0x0000: 4500 003c 7fb1 4000 4006 894c c0a8 5801 E..<.. at .@..L..X.
0x0010: c0a8 586c 0050 b193 3610 b683 1a8b 3304 ..Xl.P..6.....3.
0x0020: a012 e000 923e 0000 0204 05b4 0103 0300 .....>..........
0x0030: 0101 080a 023d f34f 016f c3f7 .....=.O.o..
17:37:14.974323 IP 192.168.88.108.45459 > 192.168.88.1.http: . ack 1 win 92
<nop,nop,timestamp 24101880 37614415>
0x0000: 4500 0034 f0f5 4000 4006 1810 c0a8 586c E..4.. at .@.....Xl
0x0010: c0a8 5801 b193 0050 1a8b 3304 3610 b684 ..X....P..3.6...
0x0020: 8010 005c 9da6 0000 0101 080a 016f c3f8 ...\.........o..
0x0030: 023d f34f .=.O
17:37:14.975022 IP 192.168.88.108.45459 > 192.168.88.1.http: P 1:142(141)
ack 1 win 92 <nop,nop,timestamp 24101882 37614415>
0x0000: 4500 00c1 f0f6 4000 4006 1782 c0a8 586c E..... at .@.....Xl
0x0010: c0a8 5801 b193 0050 1a8b 3304 3610 b684 ..X....P..3.6...
0x0020: 8018 005c fd16 0000 0101 080a 016f c3fa ...\.........o..
0x0030: 023d f34f 4745 5420 2f76 6972 7573 2f42 .=.OGET./virus/B
0x0040: 6163 6b64 6f6f 725f 5161 7a2e 412e 4558 ackdoor_Qaz.A.EX
0x0050: 4520 4854 5450 2f31 2e30 0d0a 5573 6572 E.HTTP/1.0..User
0x0060: 2d41 6765 6e74 3a20 5767 6574 2f31 2e31 -Agent:.Wget/1.1
0x0070: 312e 3420 5265 6420 4861 7420 6d6f 6469 1.4.Red.Hat.modi
0x0080: 6669 6564 0d0a 4163 6365 7074 3a20 2a2f fied..Accept:.*/
0x0090: 2a0d 0a48 6f73 743a 206d 312e 6361 2d6a *..Host:.m1.ca-j
0x00a0: 632e 636f 6d0d 0a43 6f6e 6e65 6374 696f c.com..Connectio
0x00b0: 6e3a 204b 6565 702d 416c 6976 650d 0a0d n:.Keep-Alive...
0x00c0: 0a
17:37:14.976419 IP 192.168.88.1.http > 192.168.88.108.45459: P 1:307(306)
ack 142 win 57920 <nop,nop,timestamp 37614415 24101882>
0x0000: 4500 0166 7fb2 4000 4006 8821 c0a8 5801 E..f.. at .@..!..X.
0x0010: c0a8 586c 0050 b193 3610 b684 1a8b 3391 ..Xl.P..6.....3.
0x0020: 8018 e240 eb45 0000 0101 080a 023d f34f ... at .E.......=.O
0x0030: 016f c3fa 4854 5450 2f31 2e31 2032 3030 .o..HTTP/1.1.200
0x0040: 204f 4b0d 0a44 6174 653a 2046 7269 2c20 .OK..Date:.Fri,.
0x0050: 3135 2041 7072 2032 3031 3120 3039 3a34 15.Apr.2011.09:4
0x0060: 323a 3135 2047 4d54 0d0a 5365 7276 6572 2:15.GMT..Server
0x0070: 3a20 4170 6163 6865 2f32 2e30 2e34 3720 :.Apache/2.0.47.
0x0080: 2855 6e69 7829 0d0a 4c61 7374 2d4d 6f64 (Unix)..Last-Mod
0x0090: 6966 6965 643a 2054 6875 2c20 3136 204a ified:.Thu,.16.J
0x00a0: 756e 2032 3030 3520 3039 3a30 333a 3433 un.2005.09:03:43
0x00b0: 2047 4d54 0d0a 4554 6167 3a20 2235 3362 .GMT..ETag:."53b
0x00c0: 6438 652d 3164 3630 302d 3235 3664 6239 d8e-1d600-256db9
0x00d0: 6330 220d 0a41 6363 6570 742d 5261 6e67 c0"..Accept-Rang
0x00e0: 6573 3a20 6279 7465 730d 0a43 6f6e 7465 es:.bytes..Conte
0x00f0: 6e74 2d4c 656e 6774 683a 2031 3230 3332 nt-Length:.12032
0x0100: 300d 0a4b 6565 702d 416c 6976 653a 2074 0..Keep-Alive:.t
0x0110: 696d 656f 7574 3d31 352c 206d 6178 3d31 imeout=15,.max=1
0x0120: 3030 0d0a 436f 6e6e 6563 7469 6f6e 3a20 00..Connection:.
0x0130: 4b65 6570 2d41 6c69 7665 0d0a 436f 6e74 Keep-Alive..Cont
0x0140: 656e 742d 5479 7065 3a20 6170 706c 6963 ent-Type:.applic
0x0150: 6174 696f 6e2f 6f63 7465 742d 7374 7265 ation/octet-stre
0x0160: 616d 0d0a 0d0a
17:37:14.976669 IP 192.168.88.108.45459 > 192.168.88.1.http: . ack 307 win
108 <nop,nop,timestamp 24101886 37614415>
0x0000: 4500 0034 f0f7 4000 4006 180e c0a8 586c E..4.. at .@.....Xl
0x0010: c0a8 5801 b193 0050 1a8b 3391 3610 b7b6 ..X....P..3.6...
0x0020: 8010 006c 9bd1 0000 0101 080a 016f c3fe ...l.........o..
0x0030: 023d f34f
17:37:14.976672 IP 192.168.88.1.http > 192.168.88.108.45459: .
307:1755(1448) ack 142 win 57920 <nop,nop,timestamp 37614415 24101882>
0x0000: 4500 05dc 7fb3 4000 4006 83aa c0a8 5801 E..... at .@.....X.
0x0010: c0a8 586c 0050 b193 3610 b7b6 1a8b 3391 ..Xl.P..6.....3.
0x0020: 8010 e240 d518 0000 0101 080a 023d f34f ... at .........=.O
0x0030: 016f c3fa 4d5a 9000 0300 0000 0400 0000 .o..MZ..........
0x0040: ffff 0000 b800 0000 0000 0000 4000 0000 ............ at ...
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 8000 0000 0e1f ba0e 00b4 09cd 21b8 014c ............!..L
0x0080: cd21 5468 6973 2070 726f 6772 616d 2063 .!This.program.c
0x0090: 616e 6e6f 7420 6265 2072 756e 2069 6e20 annot.be.run.in.
0x00a0: 444f 5320 6d6f 6465 2e0d 0d0a 2400 0000 DOS.mode....$...
0x00b0: 0000 0000 5045 0000 4c01 0600 d778 4439 ....PE..L....xD9
0x00c0: 0000 0000 0000 0000 e000 0a01 0b01 0500 ................
0x00d0: 004c 0100 009e 0000 0000 0000 203d 0000 .L...........=..
0x00e0: 0010 0000 0060 0100 0000 4000 0010 0000 .....`.... at .....
0x00f0: 0002 0000 0400 0000 0000 0000 0400 0000 ................
0x0100: 0000 0000 0020 0200 0004 0000 0000 0000 ................
0x0110: 0200 0000 0000 1000 0010 0000 0000 1000 ................
.
.
.
using IE:
17:56:12.253588 IP 192.168.88.1.http > 192.168.88.194.aic-oncrpc: F
2555400009:2555400009(0) ack 369119585 win 57960
0x0000: 4500 0028 e7a0 4000 4006 211b c0a8 5801 E..(.. at .@.!...X.
0x0010: c0a8 58c2 0050 0ae2 9850 4f49 1600 5161 ..X..P...POI..Qa
0x0020: 5011 e268 4129 0000 0000 0000 0000 P..hA)........
17:56:12.253772 IP 192.168.88.194.aic-oncrpc > 192.168.88.1.http: . ack 1
win 64495
0x0000: 4500 0028 a642 4000 8006 2279 c0a8 58c2 E..(.B at ..."y..X.
0x0010: c0a8 5801 0ae2 0050 1600 5161 9850 4f4a ..X....P..Qa.POJ
0x0020: 5010 fbef 27a2 0000 0000 0000 0000 P...'.........
17:56:12.263456 IP 192.168.88.1.http > 192.168.88.194.aic-np: F
2619006725:2619006725(0) ack 4174295162 win 57960
0x0000: 4500 0028 e7a1 4000 4006 211a c0a8 5801 E..(.. at .@.!...X.
0x0010: c0a8 58c2 0050 0ae1 9c1a df05 f8ce b07a ..X..P.........z
0x0020: 5011 e268 6bbb 0000 0000 0000 0000 P..hk.........
17:56:12.263605 IP 192.168.88.194.aic-np > 192.168.88.1.http: . ack 1 win
64328
0x0000: 4500 0028 a643 4000 8006 2278 c0a8 58c2 E..(.C at ..."x..X.
0x0010: c0a8 5801 0ae1 0050 f8ce b07a 9c1a df06 ..X....P...z....
0x0020: 5010 fb48 52db 0000 0000 0000 0000 P..HR.........
17:56:14.770380 IP 192.168.88.194.aic-oncrpc > 192.168.88.1.http: F 1:1(0)
ack 1 win 64495
0x0000: 4500 0028 a644 4000 8006 2277 c0a8 58c2 E..(.D at ..."w..X.
0x0010: c0a8 5801 0ae2 0050 1600 5161 9850 4f4a ..X....P..Qa.POJ
0x0020: 5011 fbef 27a1 0000 0000 0000 0000 P...'.........
17:56:14.770530 IP 192.168.88.194.aic-np > 192.168.88.1.http: F 1:1(0) ack 1
win 64328
0x0000: 4500 0028 a645 4000 8006 2276 c0a8 58c2 E..(.E at ..."v..X.
0x0010: c0a8 5801 0ae1 0050 f8ce b07a 9c1a df06 ..X....P...z....
0x0020: 5011 fb48 52da 0000 0000 0000 0000 P..HR.........
17:56:14.770534 IP 192.168.88.1.http > 192.168.88.194.aic-oncrpc: . ack 2
win 57960
0x0000: 4500 0028 e7a2 4000 4006 2119 c0a8 5801 E..(.. at .@.!...X.
0x0010: c0a8 58c2 0050 0ae2 9850 4f4a 1600 5162 ..X..P...POJ..Qb
0x0020: 5010 e268 4128 0000 0000 0000 0000 P..hA(........
17:56:14.770630 IP 192.168.88.1.http > 192.168.88.194.aic-np: . ack 2 win
57960
0x0000: 4500 0028 e7a3 4000 4006 2118 c0a8 5801 E..(.. at .@.!...X.
0x0010: c0a8 58c2 0050 0ae1 9c1a df06 f8ce b07b ..X..P.........{
0x0020: 5010 e268 6bba 0000 0000 0000 0000 P..hk.........
17:56:14.773076 IP 192.168.88.194.piccolo > 192.168.88.1.http: S
1112711939:1112711939(0) win 65535 <mss 1260,nop,nop,sackOK>
0x0000: 4500 0030 a646 4000 8006 226d c0a8 58c2 E..0.F at ..."m..X.
0x0010: c0a8 5801 0ae3 0050 4252 a303 0000 0000 ..X....PBR......
0x0020: 7002 ffff 614a 0000 0204 04ec 0101 0402 p...aJ..........
17:56:14.773226 IP 192.168.88.1.http > 192.168.88.194.piccolo: S
2494653860:2494653860(0) ack 1112711940 win 57344 <mss 1460>
0x0000: 4500 002c e7a4 4000 4006 2113 c0a8 5801 E..,.. at .@.!...X.
0x0010: c0a8 58c2 0050 0ae3 94b1 65a4 4252 a304 ..X..P....e.BR..
0x0020: 6012 e000 9b21 0000 0204 05b4 0000 `....!........
17:56:14.773326 IP 192.168.88.194.piccolo > 192.168.88.1.http: . ack 1 win
65535
0x0000: 4500 0028 a647 4000 8006 2274 c0a8 58c2 E..(.G at ..."t..X.
0x0010: c0a8 5801 0ae3 0050 4252 a304 94b1 65a5 ..X....PBR....e.
0x0020: 5010 ffff 92df 0000 0000 0000 0000 P.............
17:56:14.777768 IP 192.168.88.194.piccolo > 192.168.88.1.http: P 1:265(264)
ack 1 win 65535
0x0000: 4500 0130 a649 4000 8006 216a c0a8 58c2 E..0.I at ...!j..X.
0x0010: c0a8 5801 0ae3 0050 4252 a304 94b1 65a5 ..X....PBR....e.
0x0020: 5018 ffff 1fcf 0000 4745 5420 2f76 6972 P.......GET./vir
0x0030: 7573 2f42 6163 6b64 6f6f 725f 5161 7a2e us/Backdoor_Qaz.
0x0040: 412e 4558 4520 4854 5450 2f31 2e31 0d0a A.EXE.HTTP/1.1..
0x0050: 4163 6365 7074 3a20 2a2f 2a0d 0a41 6363 Accept:.*/*..Acc
0x0060: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz
0x0070: 6970 2c20 6465 666c 6174 650d 0a55 7365 ip,.deflate..Use
0x0080: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla
0x0090: 2f34 2e30 2028 636f 6d70 6174 6962 6c65 /4.0.(compatible
0x00a0: 3b20 4d53 4945 2036 2e30 3b20 5769 6e64 ;.MSIE.6.0;.Wind
0x00b0: 6f77 7320 4e54 2035 2e31 3b20 5356 313b ows.NT.5.1;.SV1;
0x00c0: 202e 4e45 5420 434c 5220 322e 302e 3530 ..NET.CLR.2.0.50
0x00d0: 3732 373b 202e 4e45 5420 434c 5220 332e 727;..NET.CLR.3.
0x00e0: 302e 3435 3036 2e32 3135 323b 202e 4e45 0.4506.2152;..NE
0x00f0: 5420 434c 5220 332e 352e 3330 3732 3929 T.CLR.3.5.30729)
0x0100: 0d0a 486f 7374 3a20 3139 322e 3136 382e ..Host:.192.168.
0x0110: 3838 2e31 0d0a 436f 6e6e 6563 7469 6f6e 88.1..Connection
0x0120: 3a20 4b65 6570 2d41 6c69 7665 0d0a 0d0a :.Keep-Alive....
17:56:14.779215 IP 192.168.88.1.http > 192.168.88.194.piccolo: P 1:307(306)
ack 265 win 57960
0x0000: 4500 015a e7a5 4000 4006 1fe4 c0a8 5801 E..Z.. at .@.....X.
0x0010: c0a8 58c2 0050 0ae3 94b1 65a5 4252 a40c ..X..P....e.BR..
0x0020: 5018 e268 df8e 0000 4854 5450 2f31 2e31 P..h....HTTP/1.1
0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
0x0040: 7269 2c20 3135 2041 7072 2032 3031 3120 ri,.15.Apr.2011.
0x0050: 3130 3a30 313a 3135 2047 4d54 0d0a 5365 10:01:15.GMT..Se
0x0060: 7276 6572 3a20 4170 6163 6865 2f32 2e30 rver:.Apache/2.0
0x0070: 2e34 3720 2855 6e69 7829 0d0a 4c61 7374 .47.(Unix)..Last
0x0080: 2d4d 6f64 6966 6965 643a 2054 6875 2c20 -Modified:.Thu,.
0x0090: 3136 204a 756e 2032 3030 3520 3039 3a30 16.Jun.2005.09:0
0x00a0: 333a 3433 2047 4d54 0d0a 4554 6167 3a20 3:43.GMT..ETag:.
0x00b0: 2235 3362 6438 652d 3164 3630 302d 3235 "53bd8e-1d600-25
0x00c0: 3664 6239 6330 220d 0a41 6363 6570 742d 6db9c0"..Accept-
0x00d0: 5261 6e67 6573 3a20 6279 7465 730d 0a43 Ranges:.bytes..C
0x00e0: 6f6e 7465 6e74 2d4c 656e 6774 683a 2031 ontent-Length:.1
0x00f0: 3230 3332 300d 0a4b 6565 702d 416c 6976 20320..Keep-Aliv
0x0100: 653a 2074 696d 656f 7574 3d31 352c 206d e:.timeout=15,.m
0x0110: 6178 3d31 3030 0d0a 436f 6e6e 6563 7469 ax=100..Connecti
0x0120: 6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a on:.Keep-Alive..
0x0130: 436f 6e74 656e 742d 5479 7065 3a20 6170 Content-Type:.ap
0x0140: 706c 6963 6174 696f 6e2f 6f63 7465 742d plication/octet-
0x0150: 7374 7265 616d 0d0a 0d0a stream....
17:56:14.779415 IP 192.168.88.1.http > 192.168.88.194.piccolo: .
307:1567(1260) ack 265 win 57960
0x0000: 4500 0514 e7a6 4000 4006 1c29 c0a8 5801 E..... at .@..)..X.
0x0010: c0a8 58c2 0050 0ae3 94b1 66d7 4252 a40c ..X..P....f.BR..
0x0020: 5010 e268 7f34 0000 4d5a 9000 0300 0000 P..h.4..MZ......
0x0030: 0400 0000 ffff 0000 b800 0000 0000 0000 ................
0x0040: 4000 0000 0000 0000 0000 0000 0000 0000 @...............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 8000 0000 0e1f ba0e 00b4 09cd ................
0x0070: 21b8 014c cd21 5468 6973 2070 726f 6772 !..L.!This.progr
0x0080: 616d 2063 616e 6e6f 7420 6265 2072 756e am.cannot.be.run
0x0090: 2069 6e20 444f 5320 6d6f 6465 2e0d 0d0a .in.DOS.mode....
0x00a0: 2400 0000 0000 0000 5045 0000 4c01 0600 $.......PE..L...
0x00b0: d778 4439 0000 0000 0000 0000 e000 0a01 .xD9............
0x00c0: 0b01 0500 004c 0100 009e 0000 0000 0000 .....L..........
0x00d0: 203d 0000 0010 0000 0060 0100 0000 4000 .=.......`.... at .
0x00e0: 0010 0000 0002 0000 0400 0000 0000 0000 ................
0x00f0: 0400 0000 0000 0000 0020 0200 0004 0000 ................
0x0100: 0000 0000 0200 0000 0000 1000 0010 0000 ................
0x0110: 0000 1000 0010 0000 0000 0000 1000 0000 ................
0x0120: 0000 0000 0000 0000 00e0 0100 a000 0000 ................
0x0130: 00f0 0100 1b08 0000 0000 0000 0000 0000 ................
0x0140: 0000 0000 0000 0000 0000 0200 140f 0000 ................
.
.
.
----- Original Message -----
From: "Victor Julien" <victor at inliniac.net>
To: <oisf-devel at openinfosecfoundation.org>
Sent: Saturday, April 16, 2011 5:35 PM
Subject: Re: [Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?
> Can you share a pcap?
>
> Btw, what Suricata version are you using?
>
> On 04/16/2011 11:29 AM, ZhouLi wrote:
>> With --enable-debug, I found the packet been ignored by STREAM_GAP, I
>> think it's a bug.
>>
>> //ZhouLi
>> ----- Original Message -----
>> From: ZhouLi
>> To: oisf-devel at openinfosecfoundation.org
>> Sent: Saturday, April 16, 2011 11:50 AM
>> Subject: [Oisf-devel] no APP_LAYER_PARSER_DONE for HTTP protocol?
>>
>>
>> Hi, Victor
>>
>> I am writing some testing code for suricata with clamav and I got a
>> error log when GET a .exe file by wget or curl, it
>> won't occour when using IE to GET a .exe file. using tcpdump and found
>> the log will be trigger when the first chunk packet
>> arrive. bug?
>> error log just like this,
>> (app-layer-parser.c:943) <Error> (AppLayerParse) -- [ERRCODE:
>> SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app
>> layer protocol, using network protocol 6, source IP address
>> 192.168.88.108, destination IP address 192.168.88.1, src port
>> 36047 and dst port 80
>>
>> //ZhouLi
>>
>> ____ KILL Mail Shield Gateway scanned ____
>>
>> ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>> ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>> ____ KILL Mail Shield Gateway scanned ____
>>
>>
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ____ KILL Mail Shield Gateway scanned ____
>
>
--------------------------------------------------------------------------------
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> ____ KILL Mail Shield Gateway scanned ____
>
>
____ KILL Mail Shield Gateway scanned ____
More information about the Oisf-devel
mailing list