[Oisf-devel] Suricata 1.2rc1 Available!

Peter Manev petermanev at gmail.com
Thu Jan 12 08:19:34 UTC 2012 

Hi,
It does fire with rc1 and current git.

I used your rule but changed the content to "cnn" - since i was loading the
cnn.com page.
It works with both HTTP and TCP.
Now, the only thing that is not 100% reproduced with my test is the exact
content of your rule - content:"X-Powered-By";.
If you have a pcap to share would be best, if it is alright with you of
course, it can be shared privately as well.

alert tcp any any -> any any (msg:"http header check";
flow:to_client,established; content:"cnn"; http_header;
classtype:attempted-user; sid:9313701; rev:1; )

#this below is the orig rule
# alert tcp any any -> any any (msg:"http reply found";
flow:to_client,established; content:"X-Powered-By"; http_header;
classtype:attempted-user; sid:9313701; rev:1; )

01/12/2012-08:43:40.343448  [**] [1:9313701:1] http header check [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
66.235.142.14:80 -> 192.168.137.150:48216
01/12/2012-08:43:41.129280  [**] [1:9313701:1] http header check [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
69.171.228.39:80 -> 192.168.137.150:48056
01/12/2012-08:43:41.129471  [**] [1:9313701:1] http header check [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
69.171.228.39:80 -> 192.168.137.150:48057

Thanks

On Thu, Jan 12, 2012 at 12:27 AM, rmkml <rmkml at yahoo.fr> wrote:

> Hi Victor and all OISF team,
> Happy New Year again and Congratulations for this new release!
>
> Excuse me, but when Im test content with http_header on http reply network
> traffic: suricata v12rc1 not fire... (without http_header: suricata fire)
>
> My very simply testing rules:
>  alert tcp any any -> any any (msg:"http reply found";
> flow:to_client,established; content:"X-Powered-By"; http_header;
> classtype:attempted-user; sid:9313701; rev:1; )
>
> Anyone confirm please?
> Regards
> Rmkml
>
>
> On Wed, 11 Jan 2012, Victor Julien wrote:
>
> > Suricata 1.2rc1 Available!
> >
> > The OISF development team is proud to announce Suricata 1.2rc1, the
> > first (and hopefully only) release candidate for Suricata 1.2. It brings
> > performance increases, file inspection and extraction improvements and
> > much more!
> >
> > Get the new release here:
> > http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz
> >
> > The new release comes with a number of important improvements and fixes.
> >
> > New features
> >
> > - app-layer-events keyword: similar to the decoder-events and
> > stream-events, this will allow matching on HTTP and SMTP events
> > - auto detection of checksum offloading per interface (#311)
> > - urilen options to match on raw or normalised URI (#341)
> > - flow keyword option "only_stream" and "no_stream"
> > - unixsock output options for all outputs except unified2 (PoC python
> > script in the qa/ dir) (#250)
> >
> > Improvements
> >
> > - in IPS mode, reject rules now also drop (#399)
> > - http_header now also inspects response headers (#389)
> > - "worker" runmodes for NFQ and IPFW
> > - performance improvement for "ac" pattern matcher
> > - allow empty/non-initialized flowints to be incremented
> >
> > Under the hood
> >
> > - PCRE-JIT is now enabled by default if available (#356)
> > - many file inspection and extraction improvements
> > - flowbits and flowints are now modified in a post-match action list
> > - general performance improvements
> >
> > Notable Fixes & Changes
> >
> > - fixed parsing really high sid numbers >2 Billion (#393)
> > - fixed ICMPv6 not matching in IP-only sigs (#363)
> >
> > Known issues & missing features
> >
> > This is a "release candidate"-quality release so the stability should be
> > good although unexpected corner cases might happen. If you encounter
> > one, please let us know!
> >
> > As always, we are doing our best to make you aware of continuing
> > development and items within the engine that are not yet complete or
> > optimal.  With this in mind, please notice the list we have included of
> > known items we are working on.
> >
> > See http://redmine.openinfosecfoundation.org/projects/suricata/issues
> > for an up to date list and to report new issues. See
> >
> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
> > for a discussion and time line for the major issues.
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120112/1a5d89d5/attachment-0002.html>

More information about the Oisf-devel mailing list