[Oisf-devel] FN on http POST query suricata v1.2.1?
rmkml
rmkml at yahoo.fr
Thu Apr 19 19:30:29 UTC 2012
Hi Anoop, Peter and Edward.
Opened redmine ticket #452.
Edward: Can you share your pcap please? (for Im try replay)
Best Regards
Rmkml
On Thu, 19 Apr 2012, Anoop Saldanha wrote:
> On Thu, Apr 19, 2012 at 1:57 PM, Peter Manev <petermanev at gmail.com> wrote:
>>
>>
>> On Thu, Apr 19, 2012 at 10:13 AM, Victor Julien <victor at inliniac.net> wrote:
>>>
>>> On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
>>> > For what its worth:
>>> >
>>> > # tcpdump -s0 -i eth0 -w test.pcap &
>>> > # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>>> >
>>> > Then I run suricata on the pcap:
>>> > # suricata --runmode single -c suricata.yaml -r test.pcap
>>> >
>>> > #### Events:
>>> > 04/19/2012-09:20:21.738662 [**] [1:90011669:1] FN suricata [**]
>>> > [Classification: access to a potentially vulnerable web application]
>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>> > 04/19/2012-09:20:21.738662 [**] [1:90011668:1] FN suricata [**]
>>> > [Classification: access to a potentially vulnerable web application]
>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>> > 04/19/2012-09:20:21.738662 [**] [1:90011667:1] FN suricata [**]
>>> > [Classification: access to a potentially vulnerable web application]
>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>> >
>>> > I run without checksum validation.
>>> >
>>> > Tested on two versions of suricata:
>>> > 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
>>> > (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
>>> > right now)
>>> > 2: This is Suricata version 1.3dev (rev fbe0206)
>>>
>>> Thanks for checking. Maybe it's related to the ECN and CWR flags that
>>> are set on the first 2 packets.
>>>
>> I think it has something to do with the Congestion Notification - because if
>> run with rmkml pcap - i get the rmkml's results.
>> But as Edward has done - i get spot on results.
>>
>>
>>
>>>
>>> Cheers,
>>> Victor
>>>
>>>
>>> > E
>>> >
>>> >
>>> > On 04/19/2012 01:58 AM, rmkml wrote:
>>> >> Hi,
>>> >>
>>> >> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
>>> >> strange results with these sigs not fire:
>>> >>
>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>> >> flow:to_server,established; isdataat:1;
>>> >> classtype:web-application-activity; sid:90011667; rev:1;)
>>> >>
>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>> >> flow:to_server,established; pcre:"/^[^\n]{5}/P";
>>> >> classtype:web-application-activity; sid:90011668; rev:1;)
>>> >>
>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>> >> flow:to_server,established; content:"galid"; nocase; http_client_body;
>>> >> classtype:web-application-activity; sid:90011669; rev:1;)
>>> >>
>>> >>
>>> >> Tested with these two http commands:
>>> >> wget http://192.168.1.1/abcd.php
>>> >> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>>> >> curl http://192.168.1.1/abcd.php --data
>>> >> "galid=abcdzad&dzadzza=dzadzdza"
>>> >>
>>> >> Joigned my two pcap for replaying.
>>> >> No suricata error.
>>> >> Disabled cksum validation.
>>> >>
>>> >> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
>>> >> open a new redmine ticket.
>>> >> Of course, snort always fire.
>>> >> Regards
>>> >> Rmkml
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
> I haven't run it as yet, but it looks like a bug since converting the
> rule into a packet rule gives me an alert. You can open a bug on
> this. Thanks rmkml.
>
> --
> Anoop Saldanha
More information about the Oisf-devel
mailing list