[Oisf-devel] Suricata and gzip

Mike Cox mike.cox52 at gmail.com
Tue Aug 21 14:53:08 UTC 2012 

Anoop,

It is working for me with file_data and later (latest?) versions of
Suricata. It appears that the file_data keyword is necessary for
inspection of decompressed gzip data.  This is good to know although
I'm not sure this is the same for Snort so I'd recommend some clear
documentation. (Although in all fairness, the info is out there in
blog posts and stuff but I had trouble finding it a few months ago and
this is an important feature/ability of Suricata so good documentation
of how to take advantage of it is a good idea IMHO.)

-Mike Cox

On Tue, Aug 21, 2012 at 7:20 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
> On Wed, Jun 27, 2012 at 11:24 PM, Mike Cox <mike.cox52 at gmail.com> wrote:
>> I am having trouble getting Suricata to alert on a rule and I suspect
>> it could be related to gzip.  Should Suricata and/or libhtp be
>> configured/complied to support gzip decompression specifically?  I am
>> running Suricata 1.3dev (rev 9f7588a).
>>
>> Here is the rule I want to fire:
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Blackhole Landing Please wait a moment Jun 20 2012";
>> flow:established,to_client; content:"Please wait a moment. You will be
>> forwarded..."; classtype:trojan-activity; sid:2014931; rev:3;)
>>
>> I have tried adding file_data to it as well, like this:
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Blackhole Landing Please wait a moment Jun 20 2012";
>> flow:established,to_client; file_data; content:"Please wait a moment.
>> You will be forwarded..."; classtype:trojan-activity; sid:2014931;
>> rev:4;)
>>
>>
>> As far as I can tell, my vars are set up correctly -- $HOME_NET is
>> 192.168.0.0/16 and $EXTERNAL_NET is !$HOME_NET.  I also have set the
>> values so the stream should be inspected (I set stream reassembly
>> depth to 0 since as I understand it this means no limit); when running
>> Suricata I see this:
>>
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:334) <Info>
>> (StreamTcpInitConfig) -- stream "max-sessions": 262144
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:346) <Info>
>> (StreamTcpInitConfig) -- stream "prealloc-sessions": 32768
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:362) <Info>
>> (StreamTcpInitConfig) -- stream "memcap": 67108864
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:368) <Info>
>> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:374) <Info>
>> (StreamTcpInitConfig) -- stream "async-oneside": disabled
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:391) <Info>
>> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:401) <Info>
>> (StreamTcpInitConfig) -- stream."inline": disabled
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:419) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "memcap": 134217728
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:437) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "depth": 0
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:478) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2560
>> [9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:480) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2560
>>
>> My yaml has this for libhtp:
>>
>> libhtp:
>>
>>    default-config:
>>      personality: IDS
>>      # Can be specified in kb, mb, gb.  Just a number indicates
>>      # it's in bytes.
>>      request-body-limit: 0
>>      response-body-limit: 0
>>
>>    server-config:
>>
>>      - apache:
>>          address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
>>          personality: Apache_2_2
>>          # Can be specified in kb, mb, gb.  Just a number indicates
>>          # it's in bytes.
>>          request-body-limit: 4096
>>          response-body-limit: 4096
>>
>>      - iis7:
>>          address:
>>            - 192.168.0.0/24
>>            - 192.168.10.0/24
>>          personality: IIS_7_0
>>          # Can be specified in kb, mb, gb.  Just a number indicates
>>          # it's in bytes.
>>          request-body-limit: 4096
>>          response-body-limit: 4096
>>
>> I have attached the pcap I'm using.  I would be curious if anyone can
>> reproduce or perhaps I am missing something simple.
>>
>> Thanks.
>>
>> Mike Cox
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> Hi Mike,
>
> Guess your mail was lost in our list.
>
> Tried your pcap.  The non file_data rule won't alert, since plain
> contents would be run against the raw stream.  The second file_data
> rule alerts for me.
>
> You still facing this issue?
>
> --
> Anoop Saldanha

More information about the Oisf-devel mailing list