[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert
rmkml
rmkml at yahoo.fr
Thu Jan 10 20:16:44 UTC 2013
Hi Vincent and Peter,
Do you have same "pb" with basic wget (or curl or fetch) web cmd line please ?
Can you try with remove all cache on firefox config please ?
Can you try with "checksum_validation:" to no on suricata config please ?
Do you have same pb if you record network with Wireshark and replay file on Suricata please?
Regards
Rmkml
On Thu, 10 Jan 2013, Peter Manev wrote:
> Hi,
>
> What happens if after the first visit you stop suricata, right after the first visit - would it show an alert?
> What happens if you run the pcap from wireshark through suricata? would the number of alerts match?
>
> thanks
>
> On Thu, Jan 10, 2013 at 8:57 PM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
> I'm just trying to test out a simple rule where a visit to the website www.businessweek.com triggers an alert
> Using nslookup on my side shows the ip address to be
>
> 207.86.164.88
> 207.86.164.98
>
> so based on that info I created a new rule file called http-test.rules
> which contains one line
>
> alert http any any -> 207.86.164.0/24 any (msg: "visiting businessweek")
>
> I then modify the suricata.yaml file and comment out all the other rules except my one rule just so I don't get spammed with all sorts of alerts. I start up the engine like so
>
> suricata -c /pathtoyaml/suricata.yaml -i eth0
>
> and I check the logs directory to see that they're all at the initial state with fast.log at 0 bytes and http.log at 0 bytes
>
> I also have wireshark running capturing packets on eth0 with the display filter set at
> http && ip.dst == 207.86.164.0/24
>
> With suricata and wireshark running, I start up google-chrome and visit the webpage www.businessweek.com
>
> Wireshark shows packets coming through that match but suricata shows no alerts being triggered on the first visit. However, if I click on a link within the businessweek webpage, things start popping up
> in the fast.log with my custom alert rule with more packets being displayed in wireshark as well.
>
> I've restarted this test multiple times and tried out a different website as well, and the result is the same that the first visit to the website does not trigger an alert, but subsequent visits to it
> do, so I'm not sure if I'm doing something wrong or not understanding how the http traffic works.
>
> I'm running Suricata 1.4 on Fedora 17.
>
> Vince
>
> --
> Regards,
> Peter Manev
>
>
More information about the Oisf-users
mailing list