[Oisf-devel] Suricata 1.2rc1 Available!
Victor Julien
victor at inliniac.net
Fri Jan 13 12:31:25 UTC 2012
The packet containing the GET request has a bad TCP checksum. Please try
disabling checksum validation:
stream:
checksum_validation: no
Cheers,
Victor
On 01/12/2012 10:03 PM, rmkml wrote:
> Thx you Peter and Victor,
> Sorry for delay,
> Joigned my pcap file.
> Best Regards
> Rmkml
>
>
> On Thu, 12 Jan 2012, Peter Manev wrote:
>
>> Hi,
>> It does fire with rc1 and current git.
>>
>> I used your rule but changed the content to "cnn" - since i was
>> loading the cnn.com page.
>> It works with both HTTP and TCP.
>> Now, the only thing that is not 100% reproduced with my test is the
>> exact content of your rule - content:"X-Powered-By";.
>> If you have a pcap to share would be best, if it is alright with you
>> of course, it can be shared privately as well.
>>
>> alert tcp any any -> any any (msg:"http header check";
>> flow:to_client,established; content:"cnn"; http_header;
>> classtype:attempted-user; sid:9313701; rev:1; )
>>
>> #this below is the orig rule
>> # alert tcp any any -> any any (msg:"http reply found";
>> flow:to_client,established; content:"X-Powered-By"; http_header;
>> classtype:attempted-user; sid:9313701; rev:1; )
>>
>> 01/12/2012-08:43:40.343448 [**] [1:9313701:1] http header check [**]
>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>> 66.235.142.14:80 -> 192.168.137.150:48216
>> 01/12/2012-08:43:41.129280 [**] [1:9313701:1] http header check [**]
>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>> 69.171.228.39:80 -> 192.168.137.150:48056
>> 01/12/2012-08:43:41.129471 [**] [1:9313701:1] http header check [**]
>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>> 69.171.228.39:80 -> 192.168.137.150:48057
>>
>> Thanks
>>
>> On Thu, Jan 12, 2012 at 12:27 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi Victor and all OISF team,
>> Happy New Year again and Congratulations for this new release!
>>
>> Excuse me, but when Im test content with http_header on http
>> reply network traffic: suricata v12rc1 not fire... (without
>> http_header: suricata fire)
>>
>> My very simply testing rules:
>> alert tcp any any -> any any (msg:"http reply found";
>> flow:to_client,established; content:"X-Powered-By"; http_header;
>> classtype:attempted-user; sid:9313701; rev:1; )
>>
>> Anyone confirm please?
>> Regards
>> Rmkml
>>
>>
>> On Wed, 11 Jan 2012, Victor Julien wrote:
>>
>> > Suricata 1.2rc1 Available!
>> >
>> > The OISF development team is proud to announce Suricata
>> 1.2rc1, the
>> > first (and hopefully only) release candidate for Suricata 1.2.
>> It brings
>> > performance increases, file inspection and extraction
>> improvements and
>> > much more!
>> >
>> > Get the new release here:
>> >
>> http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz
>> >
>> > The new release comes with a number of important improvements
>> and fixes.
>> >
>> > New features
>> >
>> > - app-layer-events keyword: similar to the decoder-events and
>> > stream-events, this will allow matching on HTTP and SMTP events
>> > - auto detection of checksum offloading per interface (#311)
>> > - urilen options to match on raw or normalised URI (#341)
>> > - flow keyword option "only_stream" and "no_stream"
>> > - unixsock output options for all outputs except unified2 (PoC
>> python
>> > script in the qa/ dir) (#250)
>> >
>> > Improvements
>> >
>> > - in IPS mode, reject rules now also drop (#399)
>> > - http_header now also inspects response headers (#389)
>> > - "worker" runmodes for NFQ and IPFW
>> > - performance improvement for "ac" pattern matcher
>> > - allow empty/non-initialized flowints to be incremented
>> >
>> > Under the hood
>> >
>> > - PCRE-JIT is now enabled by default if available (#356)
>> > - many file inspection and extraction improvements
>> > - flowbits and flowints are now modified in a post-match
>> action list
>> > - general performance improvements
>> >
>> > Notable Fixes & Changes
>> >
>> > - fixed parsing really high sid numbers >2 Billion (#393)
>> > - fixed ICMPv6 not matching in IP-only sigs (#363)
>> >
>> > Known issues & missing features
>> >
>> > This is a "release candidate"-quality release so the stability
>> should be
>> > good although unexpected corner cases might happen. If you
>> encounter
>> > one, please let us know!
>> >
>> > As always, we are doing our best to make you aware of continuing
>> > development and items within the engine that are not yet
>> complete or
>> > optimal. With this in mind, please notice the list we have
>> included of
>> > known items we are working on.
>> >
>> > See
>> http://redmine.openinfosecfoundation.org/projects/suricata/issues
>> > for an up to date list and to report new issues. See
>> >
>> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
>>
>> > for a discussion and time line for the major issues.
>> >
>> >
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Oisf-devel mailing list
>> > Oisf-devel at openinfosecfoundation.org
>> >
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> >
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>>
>> --
>> Peter Manev
>>
>>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list