[Oisf-users] How to alert for a single TCP packet?
David Wharton
oisf at davidwharton.us
Mon Nov 25 16:37:45 UTC 2019
Can you share the pcaps and rules you are testing with? I can make a
pretty good guess as to what is going on but it'd be easier to explain
with the pcaps.
Thanks.
-David
On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara wrote:
> Hello everyone,
>
> I'm running Suricata with a pcap file as input to test some rules at
> detecting a specific packet. The problem is that when the input pcap
> file has only the packet i'm interested in, Suricata doesn't alert
> anything, it only alerts when the input file has the whole tcp stream.
> I tried to include flow: stateless, flow: no_stream and some other
> flow option values to the rule, but it didn't change the result. What
> should i do?
>
> Another point is that even with the whole tcp stream, suricata only
> alerts when one specific content option in the rule has the http_uri
> modifier.
>
> This is the rule that works with the whole tcp stream:
> alert tcp any any -> any any (msg:"Testing rule 0"; content: "GET ";
> content: "/cron.php?"; content: "include_path="; http_uri; content:
> "../"; sid:1099019;)
>
> If i remove the http_uri, it stops alerting. Why?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191125/fab08389/attachment.html>
More information about the Oisf-users
mailing list