[Oisf-users] app layer protocol issues
Victor Julien
lists at inliniac.net
Thu Jul 25 07:35:53 UTC 2013
Sorry, meant to keep the discussion on-list.
On 07/25/2013 09:31 AM, Dan Murphy wrote:
> That does indeed fix it. The rules hit now but with one strange side
> affect. The alerts seem to get buffered up and not fire immediately.
> They only seem to flush to the log when I ^c the application. Is there
> any way to make them flush immediately? Is it queued up waiting
> for some kind of timer to expire?
I think this is probably caused by the flow timeout handling. As the
async stream doesn't properly close (we're not seeing the full FIN-cycle
or RST packet(s)), we rely on it timing out. You can lower the timeout
settings though.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Flow-Time-Outs
Cheers,
Victor
>
>
>
> On Thu, Jul 25, 2013 at 3:08 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> On 07/25/2013 08:58 AM, Dan Murphy wrote:
> > Would asymmetric traffic cause the protocol parsers to not get called?
> > In this deployment, I'm only seeing the inbound traffic.
>
> Yes, that is probably the cause. You can try enabling 'async-oneside' in
> the stream engine:
>
> stream:
> async-oneside: true
>
> Ideally you would make sure Suricata sees both sides though.
>
>
> >
> > cheers,
> > Dan
> >
> >
> >
> > On Thu, Jul 25, 2013 at 2:42 AM, Dan Murphy <dmurphy at defense.net
> <mailto:dmurphy at defense.net>
> > <mailto:dmurphy at defense.net <mailto:dmurphy at defense.net>>> wrote:
> >
> > No invalid checksums detected. To verify further I disabled it in
> > the suricata.yaml and tested again and still not functioning.
> >
> >
> >
> >
> >
> > On Thu, Jul 25, 2013 at 2:15 AM, Anoop Saldanha
> > <anoopsaldanha at gmail.com <mailto:anoopsaldanha at gmail.com>
> <mailto:anoopsaldanha at gmail.com <mailto:anoopsaldanha at gmail.com>>>
> wrote:
> >
> > On Thu, Jul 25, 2013 at 10:41 AM, Dan Murphy
> > <dmurphy at defense.net <mailto:dmurphy at defense.net>
> <mailto:dmurphy at defense.net <mailto:dmurphy at defense.net>>> wrote:
> > > I'm testing a build of 1.4.4 (with napatech support) and it
> > seems like none
> > > of the app layer protocols are working. My ip / tcp rules
> > alert just fine.
> > > I also have zero byte http and tls logs despite them both
> > being enabled so I
> > > think it's a bit deeper than a rule misconfiguration
> > nonetheless I'll put an
> > > example below. Has anyone seen this type of behavior
> before?
> > >
> > >
> > > Here are sample rules:
> > > alert http any any -> $VIPS_NET any (msg:"Test HTTP";
> > content:"scarlett";
> > > http_header; nocase; classtype:policy-violation; sid:1;
> > rev:1;) # Never
> > > alerts
> > > alert tcp any any -> $VIPS_NET any (msg:"Test TCP";
> > content:"scarlett";
> > > nocase; classtype:policy-violation; sid:2; rev:1;)
> > #
> > > Always alerts
> > >
> > > Here is the GET request:
> > > --request begin---
> > > GET /stuff/index.html HTTP/1.0
> > > User-Agent: scarlett
> > > Accept: */*
> > > Host: blah.myserver.com <http://blah.myserver.com>
> <http://blah.myserver.com>
> > > Connection: Keep-Alive
> > >
> > >
> > >
> > >
> > >
> > > This is Suricata version 1.4.4 RELEASE
> > >
> > > BUILD INFO
> > > This is Suricata version 1.4.4 RELEASE
> > > Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
> > HAVE_PACKET_FANOUT
> > > LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
> > > HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT
> > HAVE_LIBJANSSON
> > > 64-bits, Little-endian architecture
> > > GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version
> 199901
> > > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
> > > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
> > > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
> > > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
> > > __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
> > > compiled with libhtp 0.2.14, linked against 0.2.14
> > > Suricata Configuration:
> > > AF_PACKET support: yes
> > > PF_RING support: no
> > > NFQueue support: no
> > > IPFW support: no
> > > DAG enabled: no
> > > Napatech enabled: yes
> > > Unix socket enabled: yes
> > >
> > > libnss support: no
> > > libnspr support: no
> > > libjansson support: yes
> > > Prelude support: no
> > > PCRE jit: yes
> > > libluajit: yes
> > > libgeoip: yes
> > > Non-bundled htp: no
> > > Old barnyard2 support: no
> > > CUDA enabled: no
> > >
> > > Suricatasc install: yes
> > >
> > > Unit tests enabled: no
> > > Debug output enabled: no
> > > Debug validation enabled: no
> > > Profiling enabled: no
> > > Profiling locks enabled: no
> > >
> > > Generic build parameters:
> > > Installation prefix (--prefix): /opt/suricata
> > > Configuration directory (--sysconfdir):
> > /opt/suricata/etc/suricata/
> > > Log directory (--localstatedir) :
> > /opt/suricata/var/log/suricata/
> > >
> > > Host:
> > x86_64-unknown-linux-gnu
> > > GCC binary: gcc
> > > GCC Protect enabled: no
> > > GCC march native enabled: yes
> > > GCC Profile enabled: no
> > >
> > > =========Supported App Layer Protocols=========
> > > http
> > > ftp
> > > smtp
> > > tls
> > > ssh
> > > imap
> > > msn
> > > smb
> > > smb2
> > > dcerpc
> > > dcerpcudp
> > > =====
> >
> > Can you verify if this solves it for you? -
> >
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions
> >
> > --
> > -------------------------------
> > Anoop Saldanha
> > http://www.poona.me
> > -------------------------------
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list