[Oisf-users] How to alert for a single TCP packet?

David Wharton oisf at davidwharton.us
Mon Nov 25 17:26:29 UTC 2019 

http_uri is a stream keyword; without the three-way-handshake, the 
buffer won't be populated and inspected (unless stream.midstream is set 
to true).

Also, I don't see the string "../" in the pcaps so the attached rules 
will never match.  Realize too that the http_uri buffer is normalized so 
if you try to match "../" in that buffer (you aren't in the provided 
rules), it will likely be normalized out and not match.

-David

On 11/25/19 12:14 PM, Eric Urban wrote:
> For your first concern about the pcap only having the single packet vs 
> the stream do you have the stream.midstream option set to true in your 
> config?
>
> https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine
>
> -- 
> Eric Urban
> University Information Security | Office of Information Technology | 
> it.umn.edu <http://it.umn.edu/>
> University of Minnesota | umn.edu <http://umn.edu/>
> eurban at umn.edu <mailto:eurban at umn.edu>
>
>
> On Mon, Nov 25, 2019 at 10:37 AM David Wharton <oisf at davidwharton.us 
> <mailto:oisf at davidwharton.us>> wrote:
>
>     Can you share the pcaps and rules you are testing with?  I can
>     make a pretty good guess as to what is going on but it'd be easier
>     to explain with the pcaps.
>
>     Thanks.
>
>     -David
>
>     On 11/24/19 7:08 PM, Lucas Augusto Mota de Alcantara wrote:
>>     Hello everyone,
>>
>>     I'm running Suricata with a pcap file as input to test some rules
>>     at detecting a specific packet. The problem is that when the
>>     input pcap file has only the packet i'm interested in, Suricata
>>     doesn't alert anything, it only alerts when the input file has
>>     the whole tcp stream. I tried to include flow: stateless, flow:
>>     no_stream and some other flow option values to the rule, but it
>>     didn't change the result. What should i do?
>>
>>     Another point is that even with the whole tcp stream, suricata
>>     only alerts when one specific content option in the rule has the
>>     http_uri modifier.
>>
>>     This is the rule that works with the whole tcp stream:
>>     alert tcp any any -> any any (msg:"Testing rule 0"; content: "GET
>>     "; content: "/cron.php?"; content: "include_path="; http_uri;
>>     content: "../"; sid:1099019;)
>>
>>     If i remove the http_uri, it stops alerting. Why?
>>
>>     _______________________________________________
>>     Suricata IDS Users mailing list:oisf-users at openinfosecfoundation.org  <mailto:oisf-users at openinfosecfoundation.org>
>>     Site:http://suricata-ids.org  | Support:http://suricata-ids.org/support/
>>     List:https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>     Conference:https://suricon.net
>>     Trainings:https://suricata-ids.org/training/
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191125/24a72510/attachment-0001.html>

More information about the Oisf-users mailing list