[Oisf-users] Suricata not detecting app-layers
Victor Julien
lists at inliniac.net
Tue Dec 23 14:17:59 UTC 2014
On 12/23/2014 03:14 PM, Joris Roefs l Onsight Solutions BV wrote:
> Suricatais giving me a hard time alerting on app-layer specific traffic.
> I want to alert on specific HTTP and DNS events, but so far I don’t get
> any events at all.
>
> For debugging purposes I’ve created an alert that will fire on /every/
> http session. There hasn’t been a hit yet, although I’m monitoring my
> company’s internet connection and have initiated enough HTTP-requests.
> Tcpdump shows me the complete HTTP-session and when I use an alert that
> fires on any tcp-session over HTTP_PORTS I get to see them as well.
>
> Rules:
>
> alert http any any -> any any (msg:"HTTP connection detected ";
> sid:89601; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Outgoing HTTP
> connection detected "; sid:89602; rev:1;)
>
> So, first one never firing, second one constantly. Should be the other
> way ‘round, right?
>
>
>
> Anyone any idea what could be wrong here (or better: where did I go wrong?)?
>
>
>
> Some additional information:
>
> - Checksum checks are off in suricata and offloading is disabled
> on the sniffing interface.
>
> - We’re in IDS mode, on a SPAN port, which is not overloaded.
>
> - Stats.log says no checksum issues, no reassembly issues,
>
> - Configs attached
>
> - Build information:
>
Do you have VLAN traffic by any chance? If so, this yaml setting may help:
vlan:
use-for-tracking: false
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list