[Oisf-users] app layer protocol issues

Dan Murphy dmurphy at defense.net
Thu Jul 25 05:11:21 UTC 2013 

I'm testing a build of 1.4.4 (with napatech support) and it seems like none
of the app layer protocols are working.  My ip / tcp rules alert just fine.
 I also have zero byte http and tls logs despite them both being enabled so
I think it's a bit deeper than a rule misconfiguration nonetheless I'll put
an example below.  Has anyone seen this type of behavior before?


Here are sample rules:
alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett";
http_header; nocase; classtype:policy-violation; sid:1; rev:1;)  # Never
alerts
alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";
nocase; classtype:policy-violation; sid:2; rev:1;)                        #
Always alerts

Here is the GET request:
--request begin---
GET /stuff/index.html HTTP/1.0
User-Agent: scarlett
Accept: */*
Host: blah.myserver.com
Connection: Keep-Alive





This is Suricata version 1.4.4 RELEASE

BUILD INFO
This is Suricata version 1.4.4 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.14, linked against 0.2.14
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        yes
  Unix socket enabled:                     yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /opt/suricata
  Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
  Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

=========Supported App Layer Protocols=========
http
ftp
smtp
tls
ssh
imap
msn
smb
smb2
dcerpc
dcerpcudp
=====


Thanks,
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130725/9c1d93c3/attachment.html>

More information about the Oisf-users mailing list