[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert
Peter Manev
petermanev at gmail.com
Thu Jan 10 20:03:16 UTC 2013
Hi,
What happens if after the first visit you stop suricata, right after the
first visit - would it show an alert?
What happens if you run the pcap from wireshark through suricata? would the
number of alerts match?
thanks
On Thu, Jan 10, 2013 at 8:57 PM, Vincent Fang <vincent.y.fang at gmail.com>wrote:
> I'm just trying to test out a simple rule where a visit to the website
> www.businessweek.com triggers an alert
>
> Using nslookup on my side shows the ip address to be
>
> 207.86.164.88
> 207.86.164.98
>
> so based on that info I created a new rule file called http-test.rules
> which contains one line
>
> alert http any any -> 207.86.164.0/24 any (msg: "visiting businessweek")
>
> I then modify the suricata.yaml file and comment out all the other rules
> except my one rule just so I don't get spammed with all sorts of alerts. I
> start up the engine like so
>
> suricata -c /pathtoyaml/suricata.yaml -i eth0
>
> and I check the logs directory to see that they're all at the initial
> state with fast.log at 0 bytes and http.log at 0 bytes
>
> I also have wireshark running capturing packets on eth0 with the display
> filter set at
> http && ip.dst == 207.86.164.0/24
>
> With suricata and wireshark running, I start up google-chrome and visit
> the webpage www.businessweek.com
>
> Wireshark shows packets coming through that match but suricata shows no
> alerts being triggered on the first visit. However, if I click on a link
> within the businessweek webpage, things start popping up in the fast.log
> with my custom alert rule with more packets being displayed in wireshark as
> well.
>
> I've restarted this test multiple times and tried out a different website
> as well, and the result is the same that the first visit to the website
> does not trigger an alert, but subsequent visits to it do, so I'm not sure
> if I'm doing something wrong or not understanding how the http traffic
> works.
>
> I'm running Suricata 1.4 on Fedora 17.
>
> Vince
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/f3f36ebf/attachment-0002.html>
More information about the Oisf-users
mailing list