[Oisf-devel] Suricata and gzip
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Aug 21 12:20:20 UTC 2012
On Wed, Jun 27, 2012 at 11:24 PM, Mike Cox <mike.cox52 at gmail.com> wrote:
> I am having trouble getting Suricata to alert on a rule and I suspect
> it could be related to gzip. Should Suricata and/or libhtp be
> configured/complied to support gzip decompression specifically? I am
> running Suricata 1.3dev (rev 9f7588a).
>
> Here is the rule I want to fire:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Blackhole Landing Please wait a moment Jun 20 2012";
> flow:established,to_client; content:"Please wait a moment. You will be
> forwarded..."; classtype:trojan-activity; sid:2014931; rev:3;)
>
> I have tried adding file_data to it as well, like this:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Blackhole Landing Please wait a moment Jun 20 2012";
> flow:established,to_client; file_data; content:"Please wait a moment.
> You will be forwarded..."; classtype:trojan-activity; sid:2014931;
> rev:4;)
>
>
> As far as I can tell, my vars are set up correctly -- $HOME_NET is
> 192.168.0.0/16 and $EXTERNAL_NET is !$HOME_NET. I also have set the
> values so the stream should be inspected (I set stream reassembly
> depth to 0 since as I understand it this means no limit); when running
> Suricata I see this:
>
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:334) <Info>
> (StreamTcpInitConfig) -- stream "max-sessions": 262144
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:346) <Info>
> (StreamTcpInitConfig) -- stream "prealloc-sessions": 32768
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:362) <Info>
> (StreamTcpInitConfig) -- stream "memcap": 67108864
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:368) <Info>
> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:374) <Info>
> (StreamTcpInitConfig) -- stream "async-oneside": disabled
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:391) <Info>
> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:401) <Info>
> (StreamTcpInitConfig) -- stream."inline": disabled
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:419) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "memcap": 134217728
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:437) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "depth": 0
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:478) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2560
> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:480) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2560
>
> My yaml has this for libhtp:
>
> libhtp:
>
> default-config:
> personality: IDS
> # Can be specified in kb, mb, gb. Just a number indicates
> # it's in bytes.
> request-body-limit: 0
> response-body-limit: 0
>
> server-config:
>
> - apache:
> address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
> personality: Apache_2_2
> # Can be specified in kb, mb, gb. Just a number indicates
> # it's in bytes.
> request-body-limit: 4096
> response-body-limit: 4096
>
> - iis7:
> address:
> - 192.168.0.0/24
> - 192.168.10.0/24
> personality: IIS_7_0
> # Can be specified in kb, mb, gb. Just a number indicates
> # it's in bytes.
> request-body-limit: 4096
> response-body-limit: 4096
>
> I have attached the pcap I'm using. I would be curious if anyone can
> reproduce or perhaps I am missing something simple.
>
> Thanks.
>
> Mike Cox
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Hi Mike,
Guess your mail was lost in our list.
Tried your pcap. The non file_data rule won't alert, since plain
contents would be run against the raw stream. The second file_data
rule alerts for me.
You still facing this issue?
--
Anoop Saldanha
More information about the Oisf-devel
mailing list