[Oisf-users] How to alert for a single TCP packet?

Eric Urban eurban at umn.edu
Mon Nov 25 17:14:39 UTC 2019 

For your first concern about the pcap only having the single packet vs the
stream do you have the stream.midstream option set to true in your config?

https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine

-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu


On Mon, Nov 25, 2019 at 10:37 AM David Wharton <oisf at davidwharton.us> wrote:

> Can you share the pcaps and rules you are testing with?  I can make a
> pretty good guess as to what is going on but it'd be easier to explain with
> the pcaps.
>
> Thanks.
>
> -David
> On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara wrote:
>
> Hello everyone,
>
> I'm running Suricata with a pcap file as input to test some rules at
> detecting a specific packet. The problem is that when the input pcap file
> has only the packet i'm interested in, Suricata doesn't alert anything, it
> only alerts when the input file has the whole tcp stream. I tried to
> include flow: stateless, flow: no_stream and some other flow option values
> to the rule, but it didn't change the result. What should i do?
>
> Another point is that even with the whole tcp stream, suricata only alerts
> when one specific content option in the rule has the http_uri modifier.
>
> This is the rule that works with the whole tcp stream:
> alert tcp any any -> any any (msg:"Testing rule 0"; content: "GET ";
> content: "/cron.php?"; content: "include_path="; http_uri; content: "../";
> sid:1099019;)
>
> If i remove the http_uri, it stops alerting. Why?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191125/d8c2657e/attachment.html>

More information about the Oisf-users mailing list