[Oisf-users] app layer protocol issues
Dan Murphy
dmurphy at defense.net
Thu Jul 25 06:42:16 UTC 2013
No invalid checksums detected. To verify further I disabled it in the
suricata.yaml and tested again and still not functioning.
On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
> On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <dmurphy at defense.net> wrote:
> > I'm testing a build of 1.4.4 (with napatech support) and it seems like
> none
> > of the app layer protocols are working. My ip / tcp rules alert just
> fine.
> > I also have zero byte http and tls logs despite them both being enabled
> so I
> > think it's a bit deeper than a rule misconfiguration nonetheless I'll
> put an
> > example below. Has anyone seen this type of behavior before?
> >
> >
> > Here are sample rules:
> > alert http any any -> $VIPS_NET any (msg:"Test HTTP"; content:"scarlett";
> > http_header; nocase; classtype:policy-violation; sid:1; rev:1;) # Never
> > alerts
> > alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";
> > nocase; classtype:policy-violation; sid:2; rev:1;)
> #
> > Always alerts
> >
> > Here is the GET request:
> > --request begin---
> > GET /stuff/index.html HTTP/1.0
> > User-Agent: scarlett
> > Accept: */*
> > Host: blah.myserver.com
> > Connection: Keep-Alive
> >
> >
> >
> >
> >
> > This is Suricata version 1.4.4 RELEASE
> >
> > BUILD INFO
> > This is Suricata version 1.4.4 RELEASE
> > Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
> HAVE_PACKET_FANOUT
> > LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> > HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON
> > 64-bits, Little-endian architecture
> > GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> > compiled with libhtp 0.2.14, linked against 0.2.14
> > Suricata Configuration:
> > AF_PACKET support: yes
> > PF_RING support: no
> > NFQueue support: no
> > IPFW support: no
> > DAG enabled: no
> > Napatech enabled: yes
> > Unix socket enabled: yes
> >
> > libnss support: no
> > libnspr support: no
> > libjansson support: yes
> > Prelude support: no
> > PCRE jit: yes
> > libluajit: yes
> > libgeoip: yes
> > Non-bundled htp: no
> > Old barnyard2 support: no
> > CUDA enabled: no
> >
> > Suricatasc install: yes
> >
> > Unit tests enabled: no
> > Debug output enabled: no
> > Debug validation enabled: no
> > Profiling enabled: no
> > Profiling locks enabled: no
> >
> > Generic build parameters:
> > Installation prefix (--prefix): /opt/suricata
> > Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/
> > Log directory (--localstatedir) :
> /opt/suricata/var/log/suricata/
> >
> > Host: x86_64-unknown-linux-gnu
> > GCC binary: gcc
> > GCC Protect enabled: no
> > GCC march native enabled: yes
> > GCC Profile enabled: no
> >
> > =========Supported App Layer Protocols=========
> > http
> > ftp
> > smtp
> > tls
> > ssh
> > imap
> > msn
> > smb
> > smb2
> > dcerpc
> > dcerpcudp
> > =====
>
> Can you verify if this solves it for you? -
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130725/efdf1e55/attachment-0002.html>
More information about the Oisf-users
mailing list