[Oisf-devel] FN on http POST query suricata v1.2.1?

Anoop Saldanha anoopsaldanha at gmail.com
Fri Apr 20 09:16:54 UTC 2012


Patches attached in the bug that fixes the FNs.  Should be in the
master in sometime.  Meanwhile you can test the patches.

On Fri, Apr 20, 2012 at 1:00 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Anoop, Peter and Edward.
> Opened redmine ticket #452.
> Edward: Can you share your pcap please? (for Im try replay)
> Best Regards
> Rmkml
>
>
>
> On Thu, 19 Apr 2012, Anoop Saldanha wrote:
>
>> On Thu, Apr 19, 2012 at 1:57 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>>
>>>
>>> On Thu, Apr 19, 2012 at 10:13 AM, Victor Julien <victor at inliniac.net>
>>> wrote:
>>>>
>>>>
>>>> On 04/19/2012 10:03 AM, Edward Fjellskål wrote:
>>>> > For what its worth:
>>>> >
>>>> > # tcpdump -s0 -i eth0 -w test.pcap &
>>>> > # curl http://vg.no/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
>>>> >
>>>> > Then I run suricata on the pcap:
>>>> > # suricata --runmode single -c suricata.yaml -r test.pcap
>>>> >
>>>> > #### Events:
>>>> > 04/19/2012-09:20:21.738662  [**] [1:90011669:1] FN suricata [**]
>>>> > [Classification: access to a potentially vulnerable web application]
>>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>> > 04/19/2012-09:20:21.738662  [**] [1:90011668:1] FN suricata [**]
>>>> > [Classification: access to a potentially vulnerable web application]
>>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>> > 04/19/2012-09:20:21.738662  [**] [1:90011667:1] FN suricata [**]
>>>> > [Classification: access to a potentially vulnerable web application]
>>>> > [Priority: 2] {TCP} 1.2.3.4:4702 -> 195.88.54.16:80
>>>> >
>>>> > I run without checksum validation.
>>>> >
>>>> > Tested on two versions of suricata:
>>>> > 1: This is Suricata version 1.1beta2 (rev 58d7cb2)
>>>> >   (1.1.1 (rev 1bfb46f) is throwing a flow error Im not digging into
>>>> > right now)
>>>> > 2: This is Suricata version 1.3dev (rev fbe0206)
>>>>
>>>> Thanks for checking. Maybe it's related to the ECN and CWR flags that
>>>> are set on the first 2 packets.
>>>>
>>> I think it has something to do with the Congestion Notification - because
>>> if
>>> run with rmkml pcap - i get the rmkml's results.
>>> But as Edward has done - i get spot on results.
>>>
>>>
>>>
>>>>
>>>> Cheers,
>>>> Victor
>>>>
>>>>
>>>> > E
>>>> >
>>>> >
>>>> > On 04/19/2012 01:58 AM, rmkml wrote:
>>>> >> Hi,
>>>> >>
>>>> >> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found
>>>> >> strange results with these sigs not fire:
>>>> >>
>>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>>> >> flow:to_server,established; isdataat:1;
>>>> >> classtype:web-application-activity; sid:90011667; rev:1;)
>>>> >>
>>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>>> >> flow:to_server,established; pcre:"/^[^\n]{5}/P";
>>>> >> classtype:web-application-activity; sid:90011668; rev:1;)
>>>> >>
>>>> >> alert tcp any any -> any 80 (msg:"FN suricata";
>>>> >> flow:to_server,established; content:"galid"; nocase;
>>>> >> http_client_body;
>>>> >> classtype:web-application-activity; sid:90011669; rev:1;)
>>>> >>
>>>> >>
>>>> >> Tested with these two http commands:
>>>> >>  wget http://192.168.1.1/abcd.php
>>>> >> --post-data="galid=abcdzad&dzadzza=dzadzdza"
>>>> >>  curl http://192.168.1.1/abcd.php --data
>>>> >> "galid=abcdzad&dzadzza=dzadzdza"
>>>> >>
>>>> >> Joigned my two pcap for replaying.
>>>> >> No suricata error.
>>>> >> Disabled cksum validation.
>>>> >>
>>>> >> Im sure Im totaly wrong but if someone check/confirm please ? if ok
>>>> >> Im
>>>> >> open a new redmine ticket.
>>>> >> Of course, snort always fire.
>>>> >> Regards
>>>> >> Rmkml
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>
>>
>>
>> I haven't run it as yet, but it looks like a bug since converting the
>> rule into a packet rule gives me an alert.  You can open a bug on
>> this.  Thanks rmkml.
>>
>> --
>> Anoop Saldanha



-- 
Anoop Saldanha



More information about the Oisf-devel mailing list