[Oisf-users] Oisf-users Digest, Vol 38, Issue 8
郑博文
anshuitian at gmail.com
Mon Jan 14 03:24:17 UTC 2013
I'm sorry, the version of my suricata codes is 1.3.5, I just download a 1.4
version codes,the bug was repaired!
Thank you!
2013/1/12 <oisf-users-request at openinfosecfoundation.org>
> Send Oisf-users mailing list submissions to
> oisf-users at openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> or, via email, send a message with subject or body 'help' to
> oisf-users-request at openinfosecfoundation.org
>
> You can reach the person managing the list at
> oisf-users-owner at openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Suricata 1.4 simple alert rule, first visit to website
> not triggering an alert (Vincent Fang)
> 2. Re: Suricata 1.4 simple alert rule, first visit to website
> not triggering an alert (Anoop Saldanha)
> 3. Re: Is this a bug? (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 10 Jan 2013 16:30:20 -0500
> From: Vincent Fang <vincent.y.fang at gmail.com>
> To: Eoin Miller <eoin.miller at trojanedbinaries.com>
> Cc: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit
> to website not triggering an alert
> Message-ID:
> <CAMTbqJVxgq=fUfG2=3GTtjoLEVVXfTnpEAMDmEKWK=
> AjnPu0Qw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Response to Peter Manav:
>
> Immediately after the first visit when I stop suricata, the logs stay the
> same with fast.log being at 0 bytes with no alerts along with unified2. A
> weird thing I'm noticing is that the http.log is also at 0 bytes as well
> even though I see get requests being made and passing through wireshark.
>
> I then saved the pcap file called businessweek from wireshark and cleared
> the logs again and ran suricata in offline pcap mode with the following
> command
> suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek
>
> and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes
> in the http.log
>
> Response to rmkml:
>
> I tried with wget and the same situation occurs with with the fast.log
> being 0. I also tried clearing the google cache and restarting the test
> again, and the same result occurred. I switched browsers to firefox and
> cleared the cache however, and alerts started popping up in the fast.log,
> but only if I cleared the cached after already visiting the webpage once,
> otherwise fast.log would never populate.
>
> The thing that confuses me is what am I seeing in wireshark if it sees http
> packets matching the destination ip address? Or because it's all running on
> a local box, a special scenario occurs?
>
>
> Response to Eoin Miller:
>
> Changing the rule to tcp did not affect the outcome, and wiresharks didn't
> match the filter
> tcp && ip.dst == 207.86.164.0/24
>
>
> So it looks like I get the correct results with Firefox if the cache is
> cleared, but what exactly is going on if I see matching http packets in
> wireshark with the matching ip destination?
>
>
>
> NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm
> not use to this mailing list.
>
>
> On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller <
> eoin.miller at trojanedbinaries.com> wrote:
>
> > On 1/10/2013 20:34, Eoin Miller wrote:
> > > On 1/10/2013 19:57, Vincent Fang wrote:
> > >>
> > >> alert http any any -> 207.86.164.0/24 <http://207.86.164.0/24> any
> > (msg:
> > >> "visiting businessweek")
> > >
> > > Maybe try alert tcp instead of alert http.
> > >
> > > -- Eoin
> >
> > alert ip might even be better.
> >
> > -- Eoin
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/2728d4f6/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 11 Jan 2013 09:23:07 +0530
> From: Anoop Saldanha <anoopsaldanha at gmail.com>
> To: Vincent Fang <vincent.y.fang at gmail.com>
> Cc: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit
> to website not triggering an alert
> Message-ID:
> <
> CAJK8jKEvZXd8TusftE8FO5pcSGy3WmhnFmaBSJD4SQLmOhSxzw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Have you checked the dst ip is the same as the one specified in your
> rule? With load-balancing the dns can resolve to different ip
> addresses.
>
> On Fri, Jan 11, 2013 at 3:00 AM, Vincent Fang <vincent.y.fang at gmail.com>
> wrote:
> > Response to Peter Manav:
> >
> > Immediately after the first visit when I stop suricata, the logs stay the
> > same with fast.log being at 0 bytes with no alerts along with unified2. A
> > weird thing I'm noticing is that the http.log is also at 0 bytes as well
> > even though I see get requests being made and passing through wireshark.
> >
> > I then saved the pcap file called businessweek from wireshark and cleared
> > the logs again and ran suricata in offline pcap mode with the following
> > command
> > suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek
> >
> > and the resulting logs were the same, 0 bytes in the fast.log and 0
> bytes in
> > the http.log
> >
> > Response to rmkml:
> >
> > I tried with wget and the same situation occurs with with the fast.log
> being
> > 0. I also tried clearing the google cache and restarting the test again,
> and
> > the same result occurred. I switched browsers to firefox and cleared the
> > cache however, and alerts started popping up in the fast.log, but only
> if I
> > cleared the cached after already visiting the webpage once, otherwise
> > fast.log would never populate.
> >
> > The thing that confuses me is what am I seeing in wireshark if it sees
> http
> > packets matching the destination ip address? Or because it's all running
> on
> > a local box, a special scenario occurs?
> >
> >
> > Response to Eoin Miller:
> >
> > Changing the rule to tcp did not affect the outcome, and wiresharks
> didn't
> > match the filter
> > tcp && ip.dst == 207.86.164.0/24
> >
> >
> > So it looks like I get the correct results with Firefox if the cache is
> > cleared, but what exactly is going on if I see matching http packets in
> > wireshark with the matching ip destination?
> >
> >
> >
> > NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm
> > not use to this mailing list.
> >
> >
> > On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller
> > <eoin.miller at trojanedbinaries.com> wrote:
> >>
> >> On 1/10/2013 20:34, Eoin Miller wrote:
> >> > On 1/10/2013 19:57, Vincent Fang wrote:
> >> >>
> >> >> alert http any any -> 207.86.164.0/24 <http://207.86.164.0/24> any
> >> >> (msg:
> >> >> "visiting businessweek")
> >> >
> >> > Maybe try alert tcp instead of alert http.
> >> >
> >> > -- Eoin
> >>
> >> alert ip might even be better.
> >>
> >> -- Eoin
> >>
> >>
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> Anoop Saldanha
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 11 Jan 2013 11:09:57 +0100
> From: Victor Julien <lists at inliniac.net>
> To: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Is this a bug?
> Message-ID: <50EFE4F5.1080303 at inliniac.net>
> Content-Type: text/plain; charset=UTF-8
>
> On 12/29/2012 03:05 AM, ??? wrote:
> > Hello:
> > I am reading suricata codes recently, I think the fisrt
> > "ACTION_REJECT_BOTH" should change to "ACTION_REJECT_DST" in
> > util-action.c file ActionOrderVal function line 56.
>
> This is the code:
>
> if( (action & ACTION_REJECT) ||
> (action & ACTION_REJECT_BOTH) ||
> (action & ACTION_REJECT_DST)) {
> action = ACTION_REJECT;
> }
>
> How do you think it should be different? If ACTION_REJECT_BOTH would be
> changed to ACTION_REJECT_DST the latter would appear twice.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> End of Oisf-users Digest, Vol 38, Issue 8
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130114/5b3275ad/attachment.html>
More information about the Oisf-users
mailing list