[Oisf-users] RE : HTTP keywords not matching

rmkml rmkml at yahoo.fr
Sun Dec 14 16:15:17 UTC 2014 

ok I'm confirm, it's work/fire.

my test simply with: wget http://www.openinfosecfoundation.org/
and full network capture with tcpdump (for replay).

and your two sigs fire:
alert http any any -> any any (msg:"get"; content:"GET"; sid:2;)
alert http any any -> any any (msg:"get method"; content:"GET"; http_method; sid:3;)

Tested Suricata v2.0.5, v2.0.4 and v2.1beta2.

Regards
@Rmkml



On Sun, 14 Dec 2014, rmkml wrote:

> Thx Paul,
>
> You could check disable offloading on this url please:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
>
> Could you share a pcap please, your sig and your suricata.yaml please ?
>
> Regards
> @Rmkml
>
>
> On Sun, 14 Dec 2014, Paul Apostolescu wrote:
>
>> That did it, with "setting checksum-validation: no" app layer is processed.
>> Is there a place where I can find all options that need to be on/off for 
>> the card to disable offloading ? I've already switched off gso and lro.
>> 
>> Thanks.
>> 
>> On Sun, Dec 14, 2014 at 5:53 AM, rmkml <rmkml at yahoo.fr> wrote:
>>       Hi Paul, 
>> 
>> Could you try disable cksum verification in suricata.yaml please? 
>> 
>> Regards 
>> @Rmkml 
>>  
>> 
>> 
>> -------- Message d'origine --------
>> De : Paul Apostolescu <apbogdan at gmail.com>
>> Date :14/12/2014 04:43 (GMT+01:00)
>> A : oisf-users at lists.openinfosecfoundation.org
>> Cc :
>> Objet : [Oisf-users] HTTP keywords not matching
>> 
>> Hi,
>> I'm having troubles getting rules using http keywords to work, this is the 
>> behavior I'm seeing:
>> 
>> - an alert looking for http and content works:
>>       alert http any any -> any any (msg:"get"; content:"GET";sid...)
>>    
>> - anything else using the keywords fails like this one for example
>>       alert http any any -> any any (msg:"get method"; content:"GET";http_method;sid...)
>> 
>> I've turned on eve logging but I cannot see any http activity only dns (I 
>> have disabled all other loggers).
>> 
>> I'm using 2.0.5 on CentOS 6.5 in a VM (Fusion on Mac) and running in pcap 
>> live mode "suricata -i eth1 -c ...."
>> 
>> Any ideas what might be wrong ?
>> 
>> Thanks.
>> 
>> 
>> 
>

More information about the Oisf-users mailing list