[Oisf-devel] [Oisf-users] http transaction not logged if http post body > 2KB

Delta Yeh delta.yeh at gmail.com
Tue Jul 10 04:55:35 UTC 2012


Here is the latest update.

Yesterday I test suricata in colinux, send http request with wget in
the same colinux . The request is logged and I see
all the request body is process by request body callback.

But If I put the suricata  in a bridge debian box, start suricata as a
IDS , send http request in another box to the web server behind
suricata box. I only see 1460 or 2920 bytes request body data is
processed by request body callback. All the suricata and config file
is the same as in colinux.

Is  anyone else has done such tests?





2012/7/10 Delta Yeh <delta.yeh at gmail.com>:
> sorry, my fault. This is a false alarm,
> The request is logged and the body data is processed correctly by the callback.
>
>
>
> 2012/7/9 Victor Julien <victor at inliniac.net>:
>> How are you determining that there is an issue? Both streams in your
>> pcap are logged into the http.log for me.
>>
>> Cheers,
>> Victor
>>
>> On 07/09/2012 05:19 PM, Delta Yeh wrote:
>>> And in other tests, the output is:
>>>
>>>
>>>
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1853) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> !!set up htud for HTPCallbackRequestBodyData!!
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 0
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 1460
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 2920
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 4380
>>> [21364] 9/7/2012 -- 11:14:58 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1853) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> !!set up htud for HTPCallbackRequestBodyData!!
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 0
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 1460
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1834) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> ===>HTPCallbackRequestBodyData<====
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1905) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> htud->request_body.content_len_so_far 2920
>>> [21364] 9/7/2012 -- 11:14:59 - (app-layer-htp.c:1906) <Error>
>>> (HTPCallbackRequestBodyData) -- [ERRCODE: SC_ERR_INVALID_VALUE(129)] -
>>> hstate->request_body_limit 0
>>>
>>>
>>> the wget command output is
>>>
>>> colinux:~/tmp# wget -d http://192.168.1.1/news/search.asp
>>> --post-file=/root/tmp/post.txt
>>> Setting --post-file (postfile) to /root/tmp/post.txt
>>> DEBUG output created by Wget 1.12 on linux-gnu.
>>>
>>> --2012-07-09 11:14:58--  http://192.168.1.1/news/search.asp
>>> Connecting to 192.168.1.1:80... connected.
>>> Created socket 3.
>>> Releasing 0x080a2ac8 (new refcount 0).
>>> Deleting unused 0x080a2ac8.
>>>
>>> ---request begin---
>>> POST /news/search.asp HTTP/1.0
>>> User-Agent: Wget/1.12 (linux-gnu)
>>> Accept: */*
>>> Host: 192.168.1.1
>>> Connection: Keep-Alive
>>> Content-Type: application/x-www-form-urlencoded
>>> Content-Length: 6188
>>>
>>> ---request end---
>>> [writing POST file /root/tmp/post.txt ... done]
>>> HTTP request sent, awaiting response... No data received.
>>> Closed fd 3
>>> Retrying.
>>>
>>> --2012-07-09 11:14:59--  (try: 2)  http://192.168.1.1/news/search.asp
>>> Connecting to 192.168.1.1:80... connected.
>>> Created socket 3.
>>> Releasing 0x080a2898 (new refcount 0).
>>> Deleting unused 0x080a2898.
>>>
>>> ---request begin---
>>> POST /news/search.asp HTTP/1.0
>>> User-Agent: Wget/1.12 (linux-gnu)
>>> Accept: */*
>>> Host: 192.168.1.1
>>> Connection: Keep-Alive
>>> Content-Type: application/x-www-form-urlencoded
>>> Content-Length: 6188
>>>
>>> ---request end---
>>> [writing POST file /root/tmp/post.txt ... done]
>>> HTTP request sent, awaiting response...
>>> ---response begin---
>>> HTTP/1.1 200 Ok
>>> Server: micro_httpd
>>> Cache-Control: no-cache
>>> Date: Mon, 09 Jul 2012 23:14:57 GMT
>>> Set-Cookie: Name=; path=/
>>> Content-Type: text/html
>>> Connection: close
>>>
>>> ---response end---
>>> 200 Ok
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>



More information about the Oisf-devel mailing list