Project

General

Profile

Actions

Bug #184

closed

Inconsistent timestamps and logged packets for http based alerts.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

src/suricata -r /pcaps/tests/suricata27.pcap -s /testscripts/suricata27.rules -l ./ -c suricata.yaml

The packet that gets logged is this one..

================
TIME: 10/16/09-16:44:16.108951
PCAP PKT NUM: 3
ALERT CNT: 1
ALERT MSG [00]: msg escape tests wxy'"\;:
ALERT GID [00]: 1
ALERT SID [00]: 100
ALERT REV [00]: 0
ALERT CLASS [00]: (null)
ALERT PRIO [00]: 3
SRC IP: 192.168.2.3
DST IP: 208.69.36.231
PROTO: 6
SRC PORT: 37010
DST PORT: 80
TCP SEQ: 1567227342
TCP ACK: 1130989795
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 66
PACKET:
0000 00 04 76 D3 D8 6A 00 24 E8 29 FA 4F 08 00 45 00 ..v..j.$ .).O..E.
0010 00 34 A0 C0 40 00 40 06 E2 2B C0 A8 02 03 D0 45 .4.... .
.....E
0020 24 E7 90 92 00 50 5D 69 FD CE 43 69 88 E3 80 10 $....P]i ..Ci....
0030 00 2E BA B3 00 00 01 01 08 0A 01 F1 5D 79 A5 71 ........ ....]y.q
0040 46 C0 F.

The packet that should be logged is this one...

+================
TIME: 10/16/09-16:44:16.109042
PCAP PKT NUM: 4
ALERT CNT: 1
ALERT MSG [00]: msg escape tests wxy'"\;:
ALERT GID [00]: 1
ALERT SID [00]: 100
ALERT REV [00]: 0
ALERT CLASS [00]: (null)
ALERT PRIO [00]: 3
SRC IP: 192.168.2.3
DST IP: 208.69.36.231
PROTO: 6
SRC PORT: 37010
DST PORT: 80
TCP SEQ: 1567227342
TCP ACK: 1130989795
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 173
PACKET:
0000 00 04 76 D3 D8 6A 00 24 E8 29 FA 4F 08 00 45 00 ..v..j.$ .).O..E.
0010 00 9F A0 C1 40 00 40 06 E1 BF C0 A8 02 03 D0 45 ...... .......E
0020 24 E7 90 92 00 50 5D 69 FD CE 43 69 88 E3 80 18 $....P]i ..Ci....
0030 00 2E B8 69 00 00 01 01 08 0A 01 F1 5D 79 A5 71 ...i.... ....]y.q
0040 46 C0 47 45 54 20 2F 62 6C 61 68 2F 20 48 54 54 F.GET /b lah/ HTT
0050 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E P/1.0..U ser-Agen
0060 74 3A 20 57 67 65 74 2F 31 2E 31 31 2E 34 0D 0A t: Wget/ 1.11.4..
0070 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 48 6F 73 Accept: */*..Hos
0080 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F t: www.g oogle.co
0090 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B m..Conne ction: K
00A0 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A eep-Aliv e....


Files

suricata27.rules (147 Bytes) suricata27.rules suricata test 27 rules file Will Metcalf, 06/21/2010 03:47 PM
suricata27.pcap (6.14 KB) suricata27.pcap suricata test 27 pcap Will Metcalf, 06/21/2010 03:47 PM
Actions

Also available in: Atom PDF