[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert

Vincent Fang vincent.y.fang at gmail.com
Thu Jan 10 21:30:20 UTC 2013

Response to Peter Manav:

Immediately after the first visit when I stop suricata, the logs stay the
same with fast.log being at 0 bytes with no alerts along with unified2. A
weird thing I'm noticing is that the http.log is also at 0 bytes as well
even though I see get requests being made and passing through wireshark.

I then saved the pcap file called businessweek from wireshark and cleared
the logs again and ran suricata in offline pcap mode with the following
suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek

and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes
in the http.log

Response to rmkml:

I tried with wget and the same situation occurs with with the fast.log
being 0. I also tried clearing the google cache and restarting the test
again, and the same result occurred. I switched browsers to firefox and
cleared the cache however, and alerts started popping up in the fast.log,
but only if I cleared the cached after already visiting the webpage once,
otherwise fast.log would never populate.

The thing that confuses me is what am I seeing in wireshark if it sees http
packets matching the destination ip address? Or because it's all running on
a local box, a special scenario occurs?

Response to Eoin Miller:

Changing the rule to tcp did not affect the outcome, and wiresharks didn't
match the filter
tcp && ip.dst ==

So it looks like I get the correct results with Firefox if the cache is
cleared, but what exactly is going on if I see matching http packets in
wireshark with the matching ip destination?

NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm
not use to this mailing list.

On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:

> On 1/10/2013 20:34, Eoin Miller wrote:
> > On 1/10/2013 19:57, Vincent Fang wrote:
> >>
> >> alert http any any -> <> any
> (msg:
> >> "visiting businessweek")
> >
> > Maybe try alert tcp instead of alert http.
> >
> > -- Eoin
> alert ip might even be better.
> -- Eoin
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/2728d4f6/attachment-0002.html>

More information about the Oisf-users mailing list