[Oisf-users] How to alert for a single TCP packet?

David Wharton oisf at davidwharton.us
Mon Nov 25 16:37:45 UTC 2019

Can you share the pcaps and rules you are testing with?  I can make a 
pretty good guess as to what is going on but it'd be easier to explain 
with the pcaps.



On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara wrote:
> Hello everyone,
> I'm running Suricata with a pcap file as input to test some rules at 
> detecting a specific packet. The problem is that when the input pcap 
> file has only the packet i'm interested in, Suricata doesn't alert 
> anything, it only alerts when the input file has the whole tcp stream. 
> I tried to include flow: stateless, flow: no_stream and some other 
> flow option values to the rule, but it didn't change the result. What 
> should i do?
> Another point is that even with the whole tcp stream, suricata only 
> alerts when one specific content option in the rule has the http_uri 
> modifier.
> This is the rule that works with the whole tcp stream:
> alert tcp any any -> any any (msg:"Testing rule 0"; content: "GET "; 
> content: "/cron.php?"; content: "include_path="; http_uri; content: 
> "../"; sid:1099019;)
> If i remove the http_uri, it stops alerting. Why?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191125/fab08389/attachment.html>

More information about the Oisf-users mailing list