[Oisf-devel] Suricata not fire on http reply detect if request are not http...

rmkml rmkml at yahoo.fr
Fri May 18 23:46:19 UTC 2012


ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)

ok first, send this traffic (Secure...) on http connection:
  telnet www.microsoft.com 80  # sorry
  Connected to www.microsoft.com.
  Escape character is '^]'.
C->S: Secure * Secure-HTTP/1.4
S->C: HTTP/1.1 400 Bad Request

-> ok Im send unknown "Secure" http method and wrong uri and bad http version...

next, use only two Suricata signatures:

not fire:
  alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established; content:"400"; http_stat_code; classtype:web-application-attack; sid:11; rev:1;)

  alert tcp any 80 -> any any (msg:"test2"; flow:to_client,established; content:" 400 Bad Request"; nocase; classtype:web-application-attack; sid:12; rev:1;)

ok: http request side are not http
but http reply side are http: why suricata not fire please? (of course 
snort fire with same sigs)

Tested on suricata git at 16 May 2012. same results with v1.2.1.

Joigned a pcap for example.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: http400.pcap
Type: application/octet-stream
Size: 1156 bytes
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120519/3953e997/attachment.obj>

More information about the Oisf-devel mailing list