[Oisf-users] HTTP Parsing on partial PCAP
Victor Julien
lists at inliniac.net
Wed Mar 29 18:43:45 UTC 2017
On 29-03-17 18:55, secres at linuxmail.org wrote:
> Today I was trying to create a rule to detect some HTTP activity using a
> PCAP. I've done this without issue before but anytime I tried to use
> HTTP_URI, or any HTTP_ buffer the signature would fail. I also create a
> quick luajit script to print out the payload and it would contain the
> entire URI, HEADERS and BODY. If I used http.request_body it wouldn't
> contain anything. The only thing different from this pcap to some of
> the others I've used is that it's a partial pcap in that it doesn't
> contain the 3-way handshake to the server. Is there a command line
> option or config change to ignore the 3-way handshake and parse
> everything into the proper buffers or is there another issue?
--set stream.midstream=true
>> /opt/suricata/bin/suricata -V
> This is Suricata version 3.2beta1 RELEASE
Please upgrade to 3.2.1.
Cheers,
Victor
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Spark v1.1";
> content:"loading.php"; http_uri; content:"Spark v1.1"; http_header;
> luajit:myscript.lua; sid:11223344; rev:1;)
>
> myscript.lua
> function init (args)
> local needs = {}
> needs["payload"] = tostring(true)
> return needs
> end
> function match(args)
> a = tostring(args["payload"])
> if #a > 0 then
> if a:find("Spark v1.1") then
> print(a)
> return 1
> end
> end
> return 0
> end
> return 0
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list