[Oisf-users] app layer protocol issues

Anoop Saldanha anoopsaldanha at gmail.com
Thu Jul 25 06:15:14 UTC 2013 

On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <dmurphy at defense.net> wrote:
> I'm testing a build of 1.4.4 (with napatech support) and it seems like none
> of the app layer protocols are working.  My ip / tcp rules alert just fine.
> I also have zero byte http and tls logs despite them both being enabled so I
> think it's a bit deeper than a rule misconfiguration nonetheless I'll put an
> example below.  Has anyone seen this type of behavior before?
>
>
> Here are sample rules:
> alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett";
> http_header; nocase; classtype:policy-violation; sid:1; rev:1;)  # Never
> alerts
> alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";
> nocase; classtype:policy-violation; sid:2; rev:1;)                        #
> Always alerts
>
> Here is the GET request:
> --request begin---
> GET /stuff/index.html HTTP/1.0
> User-Agent: scarlett
> Accept: */*
> Host: blah.myserver.com
> Connection: Keep-Alive
>
>
>
>
>
> This is Suricata version 1.4.4 RELEASE
>
> BUILD INFO
> This is Suricata version 1.4.4 RELEASE
> Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT
> LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON
> 64-bits, Little-endian architecture
> GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> compiled with libhtp 0.2.14, linked against 0.2.14
> Suricata Configuration:
>   AF_PACKET support:                       yes
>   PF_RING support:                         no
>   NFQueue support:                         no
>   IPFW support:                            no
>   DAG enabled:                             no
>   Napatech enabled:                        yes
>   Unix socket enabled:                     yes
>
>   libnss support:                          no
>   libnspr support:                         no
>   libjansson support:                      yes
>   Prelude support:                         no
>   PCRE jit:                                yes
>   libluajit:                               yes
>   libgeoip:                                yes
>   Non-bundled htp:                         no
>   Old barnyard2 support:                   no
>   CUDA enabled:                            no
>
>   Suricatasc install:                      yes
>
>   Unit tests enabled:                      no
>   Debug output enabled:                    no
>   Debug validation enabled:                no
>   Profiling enabled:                       no
>   Profiling locks enabled:                 no
>
> Generic build parameters:
>   Installation prefix (--prefix):          /opt/suricata
>   Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
>   Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/
>
>   Host:                                    x86_64-unknown-linux-gnu
>   GCC binary:                              gcc
>   GCC Protect enabled:                     no
>   GCC march native enabled:                yes
>   GCC Profile enabled:                     no
>
> =========Supported App Layer Protocols=========
> http
> ftp
> smtp
> tls
> ssh
> imap
> msn
> smb
> smb2
> dcerpc
> dcerpcudp
> =====

Can you verify if this solves it for you? -

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-users mailing list