[Oisf-users] How to alert for a single TCP packet?
Lucas Augusto Mota de Alcantara
lama2 at cin.ufpe.br
Mon Nov 25 00:08:13 UTC 2019
Hello everyone,
I'm running Suricata with a pcap file as input to test some rules at
detecting a specific packet. The problem is that when the input pcap file
has only the packet i'm interested in, Suricata doesn't alert anything, it
only alerts when the input file has the whole tcp stream. I tried to
include flow: stateless, flow: no_stream and some other flow option values
to the rule, but it didn't change the result. What should i do?
Another point is that even with the whole tcp stream, suricata only alerts
when one specific content option in the rule has the http_uri modifier.
This is the rule that works with the whole tcp stream:
alert tcp any any -> any any (msg:"Testing rule 0"; content: "GET ";
content: "/cron.php?"; content: "include_path="; http_uri; content: "../";
sid:1099019;)
If i remove the http_uri, it stops alerting. Why?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191124/9bbe7480/attachment.html>
More information about the Oisf-users
mailing list