[Oisf-users] app layer protocol issues
Dan Murphy
dmurphy at defense.net
Thu Jul 25 06:58:44 UTC 2013
Would asymmetric traffic cause the protocol parsers to not get called? In
this deployment, I'm only seeing the inbound traffic.
cheers,
Dan
On Thu, Jul 25, 2013 at 2:42 AM, Dan Murphy <dmurphy at defense.net> wrote:
> No invalid checksums detected. To verify further I disabled it in the
> suricata.yaml and tested again and still not functioning.
>
>
>
>
>
> On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
>
>> On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy <dmurphy at defense.net> wrote:
>> > I'm testing a build of 1.4.4 (with napatech support) and it seems like
>> none
>> > of the app layer protocols are working. My ip / tcp rules alert just
>> fine.
>> > I also have zero byte http and tls logs despite them both being enabled
>> so I
>> > think it's a bit deeper than a rule misconfiguration nonetheless I'll
>> put an
>> > example below. Has anyone seen this type of behavior before?
>> >
>> >
>> > Here are sample rules:
>> > alert http any any -> $VIPS_NET any (msg:"Test HTTP";
>> content:"scarlett";
>> > http_header; nocase; classtype:policy-violation; sid:1; rev:1;) # Never
>> > alerts
>> > alert tcp any any -> $VIPS_NET any (msg:"Test TCP"; content:"scarlett";
>> > nocase; classtype:policy-violation; sid:2; rev:1;)
>> #
>> > Always alerts
>> >
>> > Here is the GET request:
>> > --request begin---
>> > GET /stuff/index.html HTTP/1.0
>> > User-Agent: scarlett
>> > Accept: */*
>> > Host: blah.myserver.com
>> > Connection: Keep-Alive
>> >
>> >
>> >
>> >
>> >
>> > This is Suricata version 1.4.4 RELEASE
>> >
>> > BUILD INFO
>> > This is Suricata version 1.4.4 RELEASE
>> > Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
>> HAVE_PACKET_FANOUT
>> > LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
>> > HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT
>> HAVE_LIBJANSSON
>> > 64-bits, Little-endian architecture
>> > GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
>> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
>> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
>> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
>> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
>> > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
>> > compiled with libhtp 0.2.14, linked against 0.2.14
>> > Suricata Configuration:
>> > AF_PACKET support: yes
>> > PF_RING support: no
>> > NFQueue support: no
>> > IPFW support: no
>> > DAG enabled: no
>> > Napatech enabled: yes
>> > Unix socket enabled: yes
>> >
>> > libnss support: no
>> > libnspr support: no
>> > libjansson support: yes
>> > Prelude support: no
>> > PCRE jit: yes
>> > libluajit: yes
>> > libgeoip: yes
>> > Non-bundled htp: no
>> > Old barnyard2 support: no
>> > CUDA enabled: no
>> >
>> > Suricatasc install: yes
>> >
>> > Unit tests enabled: no
>> > Debug output enabled: no
>> > Debug validation enabled: no
>> > Profiling enabled: no
>> > Profiling locks enabled: no
>> >
>> > Generic build parameters:
>> > Installation prefix (--prefix): /opt/suricata
>> > Configuration directory (--sysconfdir): /opt/suricata/etc/suricata/
>> > Log directory (--localstatedir) :
>> /opt/suricata/var/log/suricata/
>> >
>> > Host: x86_64-unknown-linux-gnu
>> > GCC binary: gcc
>> > GCC Protect enabled: no
>> > GCC march native enabled: yes
>> > GCC Profile enabled: no
>> >
>> > =========Supported App Layer Protocols=========
>> > http
>> > ftp
>> > smtp
>> > tls
>> > ssh
>> > imap
>> > msn
>> > smb
>> > smb2
>> > dcerpc
>> > dcerpcudp
>> > =====
>>
>> Can you verify if this solves it for you? -
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130725/ed8b01ae/attachment-0002.html>
More information about the Oisf-users
mailing list