[Oisf-devel] Suricata and HTTP reassembly

David.R.Wharton at regions.com David.R.Wharton at regions.com
Wed Aug 31 21:33:28 UTC 2011 

I am having issues with Suricata alerting when the data that needs to be 
inspected spans multiple packets.  I have been testing this with HTTP 
traffic but it may apply to other application protocols as well if there 
is a reassembly issue lower on the network stack.

Basically I have a rule that has a content match and a negated content 
match.  For example: content:"string1"; content:!"string2".  If both 
string1 and string2 are present, the rule should not alert because string2 
is negated.  This works as expected if string1 and string2 are in the same 
packet.  However, if the packet is split and string1 is in the first 
packet and string2 in the second, the rule alerts because it does not 
inspect the second packet for the negated content match even though it is 
part of the same TCP/HTTP stream.

Are there HTTP reassembly issues or configurations that I don't know 
about?

--------------------------
>From my .yaml config file:

# trying to compensate for a 1 off issue with PF_RING and/or VLAN tags but 
not sure if it really helps
default-packet-size: 1522

defrag:
  max-frags: 65535
  prealloc: yes
  timeout: 60

#flow settings:
flow:
  memcap: 33554432
  hash_size: 65536
  prealloc: 10000
  emergency_recovery: 30
  prune_flows: 5

#stream engine settings:
stream:
  memcap: 33554432              # 32mb
  checksum_validation: yes      # reject wrong csums
  inline: no                    # no inline mode
  reassembly:
    memcap: 67108864            # 64mb for reassembly
    depth: 1048576              # reassemble 1mb into a stream
    toserver_chunk_size: 2560
    toclient_chunk_size: 2560

# Configure libhtp.
libhtp:

   default-config:
     personality: IDS
     request_body_limit: 3072

   server-config:

     - apache:
         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
         personality: Apache_2_2
         request_body_limit: 4096

     - iis7:
         address:
           - 192.168.0.0/24
           - 192.168.10.0/24
           - 172.16.0.0/12
         personality: IIS_7_0
         request_body_limit: 4096

--------------------------
>From alert-debug.log when this rules fires (when it shouldn't) b/c data is 
spread among two packets:

PROTO:             6
SRC PORT:          9289
DST PORT:          8080
TCP SEQ:           760758486
TCP ACK:           3466528788
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     08/30/2011-02:02:51.302354
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 1
PACKET LEN:        608

PAYLOAD LEN:       554

--------------------------

This is a HTTP POST and the HTTP headers in the first packet have 
"Content-Length: 63" and all the POST data is in the second packet.

I would provide the rule and pcap I'm replaying thru Suricata to test this 
but it has sensitive data I can't share.  Thanks for any help.

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110831/e7919054/attachment-0002.html>

More information about the Oisf-devel mailing list