[Oisf-devel] Suricata 1.2rc1 Available!
rmkml
rmkml at yahoo.fr
Fri Jan 13 21:56:02 UTC 2012
oops, it's work (http_header on http reply), thx you!
Rmkml
On Fri, 13 Jan 2012, Victor Julien wrote:
> The packet containing the GET request has a bad TCP checksum. Please try
> disabling checksum validation:
>
> stream:
> checksum_validation: no
>
> Cheers,
> Victor
>
> On 01/12/2012 10:03 PM, rmkml wrote:
>> Thx you Peter and Victor,
>> Sorry for delay,
>> Joigned my pcap file.
>> Best Regards
>> Rmkml
>>
>>
>> On Thu, 12 Jan 2012, Peter Manev wrote:
>>
>>> Hi,
>>> It does fire with rc1 and current git.
>>>
>>> I used your rule but changed the content to "cnn" - since i was
>>> loading the cnn.com page.
>>> It works with both HTTP and TCP.
>>> Now, the only thing that is not 100% reproduced with my test is the
>>> exact content of your rule - content:"X-Powered-By";.
>>> If you have a pcap to share would be best, if it is alright with you
>>> of course, it can be shared privately as well.
>>>
>>> alert tcp any any -> any any (msg:"http header check";
>>> flow:to_client,established; content:"cnn"; http_header;
>>> classtype:attempted-user; sid:9313701; rev:1; )
>>>
>>> #this below is the orig rule
>>> # alert tcp any any -> any any (msg:"http reply found";
>>> flow:to_client,established; content:"X-Powered-By"; http_header;
>>> classtype:attempted-user; sid:9313701; rev:1; )
>>>
>>> 01/12/2012-08:43:40.343448 [**] [1:9313701:1] http header check [**]
>>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>>> 66.235.142.14:80 -> 192.168.137.150:48216
>>> 01/12/2012-08:43:41.129280 [**] [1:9313701:1] http header check [**]
>>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>>> 69.171.228.39:80 -> 192.168.137.150:48056
>>> 01/12/2012-08:43:41.129471 [**] [1:9313701:1] http header check [**]
>>> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
>>> 69.171.228.39:80 -> 192.168.137.150:48057
>>>
>>> Thanks
>>>
>>> On Thu, Jan 12, 2012 at 12:27 AM, rmkml <rmkml at yahoo.fr> wrote:
>>> Hi Victor and all OISF team,
>>> Happy New Year again and Congratulations for this new release!
>>>
>>> Excuse me, but when Im test content with http_header on http
>>> reply network traffic: suricata v12rc1 not fire... (without
>>> http_header: suricata fire)
>>>
>>> My very simply testing rules:
>>> alert tcp any any -> any any (msg:"http reply found";
>>> flow:to_client,established; content:"X-Powered-By"; http_header;
>>> classtype:attempted-user; sid:9313701; rev:1; )
>>>
>>> Anyone confirm please?
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Wed, 11 Jan 2012, Victor Julien wrote:
>>>
>>> > Suricata 1.2rc1 Available!
>>> >
>>> > The OISF development team is proud to announce Suricata
>>> 1.2rc1, the
>>> > first (and hopefully only) release candidate for Suricata 1.2.
>>> It brings
>>> > performance increases, file inspection and extraction
>>> improvements and
>>> > much more!
>>> >
>>> > Get the new release here:
>>> >
>>> http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz
>>> >
>>> > The new release comes with a number of important improvements
>>> and fixes.
>>> >
>>> > New features
>>> >
>>> > - app-layer-events keyword: similar to the decoder-events and
>>> > stream-events, this will allow matching on HTTP and SMTP events
>>> > - auto detection of checksum offloading per interface (#311)
>>> > - urilen options to match on raw or normalised URI (#341)
>>> > - flow keyword option "only_stream" and "no_stream"
>>> > - unixsock output options for all outputs except unified2 (PoC
>>> python
>>> > script in the qa/ dir) (#250)
>>> >
>>> > Improvements
>>> >
>>> > - in IPS mode, reject rules now also drop (#399)
>>> > - http_header now also inspects response headers (#389)
>>> > - "worker" runmodes for NFQ and IPFW
>>> > - performance improvement for "ac" pattern matcher
>>> > - allow empty/non-initialized flowints to be incremented
>>> >
>>> > Under the hood
>>> >
>>> > - PCRE-JIT is now enabled by default if available (#356)
>>> > - many file inspection and extraction improvements
>>> > - flowbits and flowints are now modified in a post-match
>>> action list
>>> > - general performance improvements
>>> >
>>> > Notable Fixes & Changes
>>> >
>>> > - fixed parsing really high sid numbers >2 Billion (#393)
>>> > - fixed ICMPv6 not matching in IP-only sigs (#363)
>>> >
>>> > Known issues & missing features
>>> >
>>> > This is a "release candidate"-quality release so the stability
>>> should be
>>> > good although unexpected corner cases might happen. If you
>>> encounter
>>> > one, please let us know!
>>> >
>>> > As always, we are doing our best to make you aware of continuing
>>> > development and items within the engine that are not yet
>>> complete or
>>> > optimal. With this in mind, please notice the list we have
>>> included of
>>> > known items we are working on.
>>> >
>>> > See
>>> http://redmine.openinfosecfoundation.org/projects/suricata/issues
>>> > for an up to date list and to report new issues. See
>>> >
>>> http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
>>>
>>> > for a discussion and time line for the major issues.
>>> >
>>> >
>>> > --
>>> > ---------------------------------------------
>>> > Victor Julien
>>> > http://www.inliniac.net/
>>> > PGP: http://www.inliniac.net/victorjulien.asc
>>> > ---------------------------------------------
>>> >
>>> > _______________________________________________
>>> > Oisf-devel mailing list
>>> > Oisf-devel at openinfosecfoundation.org
>>> >
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> >
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>>
>>>
>>>
>>> --
>>> Peter Manev
>>>
>>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
More information about the Oisf-devel
mailing list