[Oisf-users] Suricata 1.4 simple alert rule, first visit to website not triggering an alert

Anoop Saldanha anoopsaldanha at gmail.com
Fri Jan 11 03:53:07 UTC 2013


Have you checked the dst ip is the same as the one specified in your
rule?  With load-balancing the dns can resolve to different ip
addresses.

On Fri, Jan 11, 2013 at 3:00 AM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
> Response to Peter Manav:
>
> Immediately after the first visit when I stop suricata, the logs stay the
> same with fast.log being at 0 bytes with no alerts along with unified2. A
> weird thing I'm noticing is that the http.log is also at 0 bytes as well
> even though I see get requests being made and passing through wireshark.
>
> I then saved the pcap file called businessweek from wireshark and cleared
> the logs again and ran suricata in offline pcap mode with the following
> command
> suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek
>
> and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes in
> the http.log
>
> Response to rmkml:
>
> I tried with wget and the same situation occurs with with the fast.log being
> 0. I also tried clearing the google cache and restarting the test again, and
> the same result occurred. I switched browsers to firefox and cleared the
> cache however, and alerts started popping up in the fast.log, but only if I
> cleared the cached after already visiting the webpage once, otherwise
> fast.log would never populate.
>
> The thing that confuses me is what am I seeing in wireshark if it sees http
> packets matching the destination ip address? Or because it's all running on
> a local box, a special scenario occurs?
>
>
> Response to Eoin Miller:
>
> Changing the rule to tcp did not affect the outcome, and wiresharks didn't
> match the filter
> tcp && ip.dst == 207.86.164.0/24
>
>
> So it looks like I get the correct results with Firefox if the cache is
> cleared, but what exactly is going on if I see matching http packets in
> wireshark with the matching ip destination?
>
>
>
> NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm
> not use to this mailing list.
>
>
> On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller
> <eoin.miller at trojanedbinaries.com> wrote:
>>
>> On 1/10/2013 20:34, Eoin Miller wrote:
>> > On 1/10/2013 19:57, Vincent Fang wrote:
>> >>
>> >> alert http any any -> 207.86.164.0/24 <http://207.86.164.0/24> any
>> >> (msg:
>> >> "visiting businessweek")
>> >
>> > Maybe try alert tcp instead of alert http.
>> >
>> > -- Eoin
>>
>> alert ip might even be better.
>>
>> -- Eoin
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Anoop Saldanha



More information about the Oisf-users mailing list