[Oisf-users] Http/libhtp issue Suricata 2.0 on CentOS 6
(OISF) Martijn Schoemaker
oisf at ficture.nl
Thu May 1 13:22:00 UTC 2014
Some additional info:
Working 1.4.7 release:
--------------------------------
# suricata-1.4.7/src/suricata --build-info
This is Suricata version 1.4.7 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.14, linked against 0.2.14
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Git release (not working):
-------------------------------------
# suricata-git/oisf/src/suricata --build-info
This is Suricata version 2.0dev (rev 6fbb955)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.11, linked against LibHTP v0.5.11
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
Detection enabled: yes
libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
2.0 release (also not working):
-------------------------------------------
# suricata-2.0/src/suricata --build-info
This is Suricata version 2.0 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.10, linked against LibHTP v0.5.10
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: yes
Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
On 05/01/2014 03:16 PM, (OISF) Martijn Schoemaker wrote:
> Hi,
>
> I have been running suricata 1.4.7 for quite some time and it's working like a charm. When I saw that suricata 2.0 supports the eve-json log format for integration with logstash I wanted to upgrade to 2.0.
>
> I downloaded the stable 2.0 release, built it and all seemed to run fine. However, I notices the http.log was no longer modified. Further investigation showed that all http event matching, http logging (http-log and eve http log) was no longer working. I started out with the exact same config as the working 1.4.7 release, then modified the 2.0 config accordingly but it just won't work.
>
> I also noticed it now includes libhtp 0.5.10 instead of 0.2 so I tried to build against 0.2 but that's not supported. I also built the git current release (libhtp 0.5.11), but still no go. Strange thing is that http events are also no longer matched. I run on a machine which is connected to a monitor port so it cannot be checksum offloading (I also manually disabled it on the interface and disabled checksum checking in the suricata config, but all to no avail).
>
> Whenever I revert to the 1.4.7 release everything works again.
>
> So I have a big suspicion that either I'm doing something terribly wrong, or the libhtp 0.5 release is not working correctly anymore.
>
> Is there anyone who observed the same issue ?
>
> Regards,
> Martijn Schoemaker
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
More information about the Oisf-users
mailing list