[Oisf-users] Fwd: Suricata 1.4 simple alert rule, first visit to website not triggering an alert

[Vincent Fang]

---------- Forwarded message ----------
From: Vincent Fang <vincent.y.fang at gmail.com>
Date: Thu, Jan 10, 2013 at 4:20 PM
Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit to
website not triggering an alert
To: Eoin Miller <eoin.miller at trojanedbinaries.com>


Response to Peter Manav:

Immediately after the first visit when I stop suricata, the logs stay the
same with fast.log being at 0 bytes with no alerts along with unified2. A
weird thing I'm noticing is that the http.log is also at 0 bytes as well
even though I see get requests being made and passing through wireshark.

I then saved the pcap file called businessweek from wireshark and cleared
the logs again and ran suricata in offline pcap mode with the following
command
suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek

and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes
in the http.log

Response to rmkml:

I tried with wget and the same situation occurs with with the fast.log
being 0. I also tried clearing the google cache and restarting the test
again, and the same result occurred. I switched browsers to firefox and
cleared the cache however, and alerts started popping up in the fast.log,
but only if I cleared the cached after already visiting the webpage once,
otherwise fast.log would never populate.

The thing that confuses me is what am I seeing in wireshark if it sees http
packets matching the destination ip address? Or because it's all running on
a local box, a special scenario occurs?


Response to Eoin Miller:

Changing the rule to tcp did not affect the outcome, and wiresharks didn't
match the filter
tcp && ip.dst == 207.86.164.0/24


So it looks like I get the correct results with Firefox if the cache is
cleared, but what exactly is going on if I see matching http packets in
wireshark with the matching ip destination?



On Thu, Jan 10, 2013 at 3:34 PM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:

> On 1/10/2013 19:57, Vincent Fang wrote:
> >
> > alert http any any -> 207.86.164.0/24 <http://207.86.164.0/24> any (msg:
> > "visiting businessweek")
>
> Maybe try alert tcp instead of alert http.
>
> -- Eoin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/9ff15536/attachment-0002.html>