[Oisf-devel] Suricata and gzip

[Mike Cox]

I am having trouble getting Suricata to alert on a rule and I suspect
it could be related to gzip.  Should Suricata and/or libhtp be
configured/complied to support gzip decompression specifically?  I am
running Suricata 1.3dev (rev 9f7588a).

Here is the rule I want to fire:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Blackhole Landing Please wait a moment Jun 20 2012";
flow:established,to_client; content:"Please wait a moment. You will be
forwarded..."; classtype:trojan-activity; sid:2014931; rev:3;)

I have tried adding file_data to it as well, like this:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Blackhole Landing Please wait a moment Jun 20 2012";
flow:established,to_client; file_data; content:"Please wait a moment.
You will be forwarded..."; classtype:trojan-activity; sid:2014931;
rev:4;)


As far as I can tell, my vars are set up correctly -- $HOME_NET is
192.168.0.0/16 and $EXTERNAL_NET is !$HOME_NET.  I also have set the
values so the stream should be inspected (I set stream reassembly
depth to 0 since as I understand it this means no limit); when running
Suricata I see this:

[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:334) <Info>
(StreamTcpInitConfig) -- stream "max-sessions": 262144
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:346) <Info>
(StreamTcpInitConfig) -- stream "prealloc-sessions": 32768
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:362) <Info>
(StreamTcpInitConfig) -- stream "memcap": 67108864
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:368) <Info>
(StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:374) <Info>
(StreamTcpInitConfig) -- stream "async-oneside": disabled
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:391) <Info>
(StreamTcpInitConfig) -- stream "checksum-validation": disabled
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:401) <Info>
(StreamTcpInitConfig) -- stream."inline": disabled
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:419) <Info>
(StreamTcpInitConfig) -- stream.reassembly "memcap": 134217728
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:437) <Info>
(StreamTcpInitConfig) -- stream.reassembly "depth": 0
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:478) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2560
[9765] 26/6/2012 -- 19:32:30 - (stream-tcp.c:480) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2560

My yaml has this for libhtp:

libhtp:

   default-config:
     personality: IDS
     # Can be specified in kb, mb, gb.  Just a number indicates
     # it's in bytes.
     request-body-limit: 0
     response-body-limit: 0

   server-config:

     - apache:
         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
         personality: Apache_2_2
         # Can be specified in kb, mb, gb.  Just a number indicates
         # it's in bytes.
         request-body-limit: 4096
         response-body-limit: 4096

     - iis7:
         address:
           - 192.168.0.0/24
           - 192.168.10.0/24
         personality: IIS_7_0
         # Can be specified in kb, mb, gb.  Just a number indicates
         # it's in bytes.
         request-body-limit: 4096
         response-body-limit: 4096

I have attached the pcap I'm using.  I would be curious if anyone can
reproduce or perhaps I am missing something simple.

Thanks.

Mike Cox
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump.pcap
Type: application/octet-stream
Size: 76807 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120627/81e37a50/attachment-0002.obj>