[Oisf-devel] Suricata 1.2rc1 Available!

rmkml rmkml at yahoo.fr
Thu Jan 12 21:03:22 UTC 2012 

Thx you Peter and Victor,
Sorry for delay,
Joigned my pcap file.
Best Regards
Rmkml


On Thu, 12 Jan 2012, Peter Manev wrote:

> Hi,
> It does fire with rc1 and current git.
> 
> I used your rule but changed the content to "cnn" - since i was loading the cnn.com page.
> It works with both HTTP and TCP.
> Now, the only thing that is not 100% reproduced with my test is the exact content of your rule - content:"X-Powered-By";.
> If you have a pcap to share would be best, if it is alright with you of course, it can be shared privately as well.
> 
> alert tcp any any -> any any (msg:"http header check"; flow:to_client,established; content:"cnn"; http_header; classtype:attempted-user; sid:9313701; rev:1; )
> 
> #this below is the orig rule
> # alert tcp any any -> any any (msg:"http reply found"; flow:to_client,established; content:"X-Powered-By"; http_header; classtype:attempted-user; sid:9313701; rev:1; )
> 
> 01/12/2012-08:43:40.343448  [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 66.235.142.14:80 -> 192.168.137.150:48216
> 01/12/2012-08:43:41.129280  [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 69.171.228.39:80 -> 192.168.137.150:48056
> 01/12/2012-08:43:41.129471  [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 69.171.228.39:80 -> 192.168.137.150:48057
> 
> Thanks
> 
> On Thu, Jan 12, 2012 at 12:27 AM, rmkml <rmkml at yahoo.fr> wrote:
>       Hi Victor and all OISF team,
>       Happy New Year again and Congratulations for this new release!
>
>       Excuse me, but when Im test content with http_header on http reply network traffic: suricata v12rc1 not fire... (without http_header: suricata fire)
>
>       My very simply testing rules:
>        alert tcp any any -> any any (msg:"http reply found"; flow:to_client,established; content:"X-Powered-By"; http_header; classtype:attempted-user; sid:9313701; rev:1; )
>
>       Anyone confirm please?
>       Regards
>       Rmkml
> 
>
>       On Wed, 11 Jan 2012, Victor Julien wrote:
>
>       > Suricata 1.2rc1 Available!
>       >
>       > The OISF development team is proud to announce Suricata 1.2rc1, the
>       > first (and hopefully only) release candidate for Suricata 1.2. It brings
>       > performance increases, file inspection and extraction improvements and
>       > much more!
>       >
>       > Get the new release here:
>       > http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz
>       >
>       > The new release comes with a number of important improvements and fixes.
>       >
>       > New features
>       >
>       > - app-layer-events keyword: similar to the decoder-events and
>       > stream-events, this will allow matching on HTTP and SMTP events
>       > - auto detection of checksum offloading per interface (#311)
>       > - urilen options to match on raw or normalised URI (#341)
>       > - flow keyword option "only_stream" and "no_stream"
>       > - unixsock output options for all outputs except unified2 (PoC python
>       > script in the qa/ dir) (#250)
>       >
>       > Improvements
>       >
>       > - in IPS mode, reject rules now also drop (#399)
>       > - http_header now also inspects response headers (#389)
>       > - "worker" runmodes for NFQ and IPFW
>       > - performance improvement for "ac" pattern matcher
>       > - allow empty/non-initialized flowints to be incremented
>       >
>       > Under the hood
>       >
>       > - PCRE-JIT is now enabled by default if available (#356)
>       > - many file inspection and extraction improvements
>       > - flowbits and flowints are now modified in a post-match action list
>       > - general performance improvements
>       >
>       > Notable Fixes & Changes
>       >
>       > - fixed parsing really high sid numbers >2 Billion (#393)
>       > - fixed ICMPv6 not matching in IP-only sigs (#363)
>       >
>       > Known issues & missing features
>       >
>       > This is a "release candidate"-quality release so the stability should be
>       > good although unexpected corner cases might happen. If you encounter
>       > one, please let us know!
>       >
>       > As always, we are doing our best to make you aware of continuing
>       > development and items within the engine that are not yet complete or
>       > optimal.  With this in mind, please notice the list we have included of
>       > known items we are working on.
>       >
>       > See http://redmine.openinfosecfoundation.org/projects/suricata/issues
>       > for an up to date list and to report new issues. See
>       > http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
>       > for a discussion and time line for the major issues.
>       >
>       >
>       > --
>       > ---------------------------------------------
>       > Victor Julien
>       > http://www.inliniac.net/
>       > PGP: http://www.inliniac.net/victorjulien.asc
>       > ---------------------------------------------
>       >
>       > _______________________________________________
>       > Oisf-devel mailing list
>       > Oisf-devel at openinfosecfoundation.org
>       > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>       >
>       _______________________________________________
>       Oisf-devel mailing list
>       Oisf-devel at openinfosecfoundation.org
>       http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 
> 
> 
> 
> --
> Peter Manev
> 
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata12rc1httpreplytest.pcap.gz
Type: application/x-gzip
Size: 32538 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120112/f25f96db/attachment.bin>

More information about the Oisf-devel mailing list