[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert

[Vincent Fang]

I'm just trying to test out a simple rule where a visit to the website
www.businessweek.com triggers an alert

Using nslookup on my side shows the ip address to be

207.86.164.88
207.86.164.98

so based on that info I created a new rule file called http-test.rules
which contains one line

alert http any any -> 207.86.164.0/24 any (msg: "visiting businessweek")

I then modify the suricata.yaml file and comment out all the other rules
except my one rule just so I don't get spammed with all sorts of alerts. I
start up the engine like so

suricata -c /pathtoyaml/suricata.yaml -i eth0

and I check the logs directory to see that they're all at the initial state
with fast.log at 0 bytes and http.log at 0 bytes

I also have wireshark running capturing packets on eth0 with the display
filter set at
http && ip.dst == 207.86.164.0/24

With suricata and wireshark running, I start up google-chrome and visit the
webpage www.businessweek.com

Wireshark shows packets coming through that match but suricata shows no
alerts being triggered on the first visit. However, if I click on a link
within the businessweek webpage, things start popping up in the fast.log
with my custom alert rule with more packets being displayed in wireshark as
well.

I've restarted this test multiple times and tried out a different website
as well, and the result is the same that the first visit to the website
does not trigger an alert, but subsequent visits to it do, so I'm not sure
if I'm doing something wrong or not understanding how the http traffic
works.

I'm running Suricata 1.4 on Fedora 17.

Vince
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/43fc6440/attachment.html>