[Oisf-users] app layer protocol issues

Dan Murphy dmurphy at defense.net
Thu Jul 25 06:44:53 UTC 2013


In addition ... from looking at the console it looks like the rules load
properly.  Maybe there's something in there that's meaningful to someone
other than me?

24/7/2013 -- 23:43:38 - <Info> - IP reputation disabled
24/7/2013 -- 23:43:38 - <Info> - 1 rule files processed. 2 rules
successfully loaded, 0 rules failed
24/7/2013 -- 23:43:38 - <Info> - 2 signatures processed. 0 are IP-only
rules, 1 are inspecting packet payload, 1 inspect application layer, 0 are
decoder event only
24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure,
stage 1: adding signatures to signature source addresses... complete
24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
24/7/2013 -- 23:43:38 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
24/7/2013 -- 23:43:38 - <Info> - Threshold config parsed: 0 rule(s) found
24/7/2013 -- 23:43:38 - <Info> - Live rule swap has swapped 36 old
det_ctx's with new ones, along with the new de_ctx
24/7/2013 -- 23:43:38 - <Info> - cleaning up signature grouping
structure... complete



On Thu, Jul 25, 2013 at 2:42 AM, Dan Murphy <dmurphy at defense.net> wrote:

> No invalid checksums detected.  To verify further I disabled it in the
> suricata.yaml and tested again and still not functioning.
>
>
>
>
>
> On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
>
>> On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <dmurphy at defense.net> wrote:
>> > I'm testing a build of 1.4.4 (with napatech support) and it seems like
>> none
>> > of the app layer protocols are working.  My ip / tcp rules alert just
>> fine.
>> > I also have zero byte http and tls logs despite them both being enabled
>> so I
>> > think it's a bit deeper than a rule misconfiguration nonetheless I'll
>> put an
>> > example below.  Has anyone seen this type of behavior before?
>> >
>> >
>> > Here are sample rules:
>> > alert http any any -> $VIPS_NET any (msg:"Test HTTP";
>> content:"scarlett";
>> > http_header; nocase; classtype:policy-violation; sid:1; rev:1;)  # Never
>> > alerts
>> > alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";
>> > nocase; classtype:policy-violation; sid:2; rev:1;)
>>    #
>> > Always alerts
>> >
>> > Here is the GET request:
>> > --request begin---
>> > GET /stuff/index.html HTTP/1.0
>> > User-Agent: scarlett
>> > Accept: */*
>> > Host: blah.myserver.com
>> > Connection: Keep-Alive
>> >
>> >
>> >
>> >
>> >
>> > This is Suricata version 1.4.4 RELEASE
>> >
>> > BUILD INFO
>> > This is Suricata version 1.4.4 RELEASE
>> > Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
>> HAVE_PACKET_FANOUT
>> > LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>> > HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT
>> HAVE_LIBJANSSON
>> > 64-bits, Little-endian architecture
>> > GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
>> >   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>> >   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>> >   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>> >   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>> >   __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
>> > compiled with libhtp 0.2.14, linked against 0.2.14
>> > Suricata Configuration:
>> >   AF_PACKET support:                       yes
>> >   PF_RING support:                         no
>> >   NFQueue support:                         no
>> >   IPFW support:                            no
>> >   DAG enabled:                             no
>> >   Napatech enabled:                        yes
>> >   Unix socket enabled:                     yes
>> >
>> >   libnss support:                          no
>> >   libnspr support:                         no
>> >   libjansson support:                      yes
>> >   Prelude support:                         no
>> >   PCRE jit:                                yes
>> >   libluajit:                               yes
>> >   libgeoip:                                yes
>> >   Non-bundled htp:                         no
>> >   Old barnyard2 support:                   no
>> >   CUDA enabled:                            no
>> >
>> >   Suricatasc install:                      yes
>> >
>> >   Unit tests enabled:                      no
>> >   Debug output enabled:                    no
>> >   Debug validation enabled:                no
>> >   Profiling enabled:                       no
>> >   Profiling locks enabled:                 no
>> >
>> > Generic build parameters:
>> >   Installation prefix (--prefix):          /opt/suricata
>> >   Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
>> >   Log directory (--localstatedir) :
>>  /opt/suricata/var/log/suricata/
>> >
>> >   Host:                                    x86_64-unknown-linux-gnu
>> >   GCC binary:                              gcc
>> >   GCC Protect enabled:                     no
>> >   GCC march native enabled:                yes
>> >   GCC Profile enabled:                     no
>> >
>> > =========Supported App Layer Protocols=========
>> > http
>> > ftp
>> > smtp
>> > tls
>> > ssh
>> > imap
>> > msn
>> > smb
>> > smb2
>> > dcerpc
>> > dcerpcudp
>> > =====
>>
>> Can you verify if this solves it for you? -
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130725/f1544748/attachment-0002.html>


More information about the Oisf-users mailing list