[Oisf-users] failed pattern match with async-oneside

Dan Murphy dmurphy at defense.net
Wed Oct 23 04:23:03 UTC 2013 

I'm seeing an issue where this simple content rule:
alert tcp any any -> any any (msg:"test pattern"; content:"attack";
sid:2013102104; rev:2;)

and this simple wget:
wget --debug -O -  http://x.x.x.x/attack

GET /attack HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: x.x.x.x
Connection: Keep-Alive


This matches 100% of the time from any test host if I set  "async-oneside:
false" in  my stream configuration section.  However if I set
"async-oneside: true", certain hosts firing off that same wget never
trigger the rule.  So the behavior is such that..  if it fires when you do
a wget from test host A ... It is consistent and will always fire and the
inverse is also true.  My guess is that there's something slightly
different going across the wire despite the identical HTTP requests...
I took some raw pcaps of a match and a fail but nothing jumped out at me
(not that it would without understanding the decision tree of the code)

... and before someone says it ...
We do not see symmetric traffic flows which is why I was using
async-oneside: true.  I was hoping to take advantage of some of the L7
capabilities.  Obviously if the disease is worse than the cure, I'll leave
it at false and stick with straight payload matching in tcp/udp.

I guess my questions are twofold:

1.)  Is anyone else using async-ondeside and has observed this or similar
behavior

2.)  What is really the best way to start debugging why a rule ISN'T firing?


I pasted my build info below for those interested.

Thanks,
Dan
irc(danm)




This is Suricata version 1.4.5 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET
HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PCRE_JIT HAVE_LUAJIT HAVE_LIBJANSSON
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.14, linked against 0.2.14
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        yes
  Unix socket enabled:                     yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                yes
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /opt/suricata
  Configuration directory (--sysconfdir):  /opt/suricata/etc/suricata/
  Log directory (--localstatedir) :        /opt/suricata/var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131023/df2b3fd8/attachment.html>

More information about the Oisf-users mailing list