[Oisf-devel] Suricata not fire on http reply detect if request are not http...

Anoop Saldanha anoopsaldanha at gmail.com
Sat May 19 04:14:34 UTC 2012


On Sat, May 19, 2012 at 5:16 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> ok Im continue my Suricata testing, Someone check this please? (if
> yes/confirm, Im open a new ticket)
>
> ok first, send this traffic (Secure...) on http connection:
>  telnet www.microsoft.com 80  # sorry
>  Trying 65.55.57.80...
>  Connected to www.microsoft.com.
>  Escape character is '^]'.
> C->S: Secure * Secure-HTTP/1.4
> S->C: HTTP/1.1 400 Bad Request
>  ...
>
> -> ok Im send unknown "Secure" http method and wrong uri and bad http
> version...
>
>
> next, use only two Suricata signatures:
>
> not fire:
>  alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established;
> content:"400"; http_stat_code; classtype:web-application-attack; sid:11;
> rev:1;)
>
> fire:
>  alert tcp any 80 -> any any (msg:"test2"; flow:to_client,established;
> content:" 400 Bad Request"; nocase; classtype:web-application-attack;
> sid:12; rev:1;)
>
>
> ok: http request side are not http
> but http reply side are http: why suricata not fire please? (of course snort
> fire with same sigs)
>
> Tested on suricata git at 16 May 2012. same results with v1.2.1.
>
> Joigned a pcap for example.
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

Hi,

Actually this is one of the scenarios where our protocol detection
fails and we don't send the http stream to our htp parser.  This will
be fixed when we fix/update our app layer proto detection.

You can open a bug on this.  Thanks

-- 
Anoop Saldanha



More information about the Oisf-devel mailing list