[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert

Peter Manev petermanev at gmail.com
Thu Jan 10 20:03:16 UTC 2013


What happens if after the first visit you stop suricata, right after the
first visit - would it show an alert?
What happens if you run the pcap from wireshark through suricata? would the
number of alerts match?


On Thu, Jan 10, 2013 at 8:57 PM, Vincent Fang <vincent.y.fang at gmail.com>wrote:

> I'm just trying to test out a simple rule where a visit to the website
> www.businessweek.com triggers an alert
> Using nslookup on my side shows the ip address to be
> so based on that info I created a new rule file called http-test.rules
> which contains one line
> alert http any any -> any (msg: "visiting businessweek")
> I then modify the suricata.yaml file and comment out all the other rules
> except my one rule just so I don't get spammed with all sorts of alerts. I
> start up the engine like so
> suricata -c /pathtoyaml/suricata.yaml -i eth0
> and I check the logs directory to see that they're all at the initial
> state with fast.log at 0 bytes and http.log at 0 bytes
> I also have wireshark running capturing packets on eth0 with the display
> filter set at
> http && ip.dst ==
> With suricata and wireshark running, I start up google-chrome and visit
> the webpage www.businessweek.com
> Wireshark shows packets coming through that match but suricata shows no
> alerts being triggered on the first visit. However, if I click on a link
> within the businessweek webpage, things start popping up in the fast.log
> with my custom alert rule with more packets being displayed in wireshark as
> well.
> I've restarted this test multiple times and tried out a different website
> as well, and the result is the same that the first visit to the website
> does not trigger an alert, but subsequent visits to it do, so I'm not sure
> if I'm doing something wrong or not understanding how the http traffic
> works.
> I'm running Suricata 1.4 on Fedora 17.
> Vince
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/f3f36ebf/attachment-0002.html>

More information about the Oisf-users mailing list