[Oisf-devel] FN on http POST query suricata v1.2.1?
Edward Fjellskål
edwardfjellskaal at gmail.com
Thu Apr 19 08:03:43 UTC 2012
For what its worth:
# tcpdump -s0 -i eth0 -w test.pcap &
# curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
Then I run suricata on the pcap:
# suricata --runmode single -c suricata.yaml -r test.pcap
#### Events:
04/19/2012-09:20:21.738662 [**] [1:90011669:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
04/19/2012-09:20:21.738662 [**] [1:90011668:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
04/19/2012-09:20:21.738662 [**] [1:90011667:1] FN suricata [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
I run without checksum validation.
Tested on two versions of suricata:
1: This is Suricata version 1.1beta2 (rev 58d7cb2)
(1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
right now)
2: This is Suricata version 1.3dev (rev fbe0206)
E
On 04/19/2012 01:58 AM, rmkml wrote:
> Hi,
>
> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
> strange results with these sigs not fire:
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; isdataat:1;
> classtype:web-application-activity; sid:90011667; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; pcre:"/^[^\n]{5}/P";
> classtype:web-application-activity; sid:90011668; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; content:"galid"; nocase; http_client_body;
> classtype:web-application-activity; sid:90011669; rev:1;)
>
>
> Tested with these two http commands:
> wget http://192.168.1.1/abcd.php
> --post-data="galid=abcdzad&dzadzza=dzadzdza"
> curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>
> Joigned my two pcap for replaying.
> No suricata error.
> Disabled cksum validation.
>
> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
> open a new redmine ticket.
> Of course, snort always fire.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/9437a722/attachment-0002.html>
More information about the Oisf-devel
mailing list