Support #1890
closedSuricata doesn't intercept HTTP-traffic with content size > 773 bytes
Description
The Suricata doesn't intercept HTTP-traffic with size of content > 773 bytes, also doesn't log it and doaes't work any rules for it.
Samle of request wich Suricata "sees":
POST /site/index.php/admin/pages/update/ HTTP/1.1 Host: test.test User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: **/** Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://test.test/site/index.php/admin/pages/add/0/ Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 Content-Length: *773* Connection: close Cache-Control: max-age=0 --b788b047b8e345b792cdc1f81fef2106 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 --b788b047b8e345b792cdc1f81fef2106-- <end>
In http.log was written:
09/15/2016-16:43:28.023114 test.test [**] /site/index.php/admin/pages/update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 [**] http://test.test/site/index.php/admin/pages/add/0/ [**] POST [**] HTTP/1.1 [**] 302 => http://test.test/site/index.php/admin/pages/add/0/ [**] 0 bytes [**] 10.1.1.1:61062 -> 10.1.1.2:80
Samle of request wich Suricata "*NOT* sees":
POST /site/index.php/admin/pages/update/ HTTP/1.1 Host: test.test User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: **/** Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://test.test/site/index.php/admin/pages/add/0/ Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 Content-Length: *774* Connection: close Cache-Control: max-age=0 --b788b047b8e345b792cdc1f81fef2106 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 --b788b047b8e345b792cdc1f81fef2106-- <end>
In http.log nothing!
Files
Updated by Roman Gavrilchenko over 7 years ago
The version of Suricata is 3.1.1 RELEASE
Updated by Peter Manev over 7 years ago
I can not reproduce your issue with the pcap provided.
I have tried 3.1.1 and latest git master. With the following test rule -
alert http any any -> any any (msg:"http header test"; content:"POST"; http_method; content:"SELECT"; sid:1;)
When I run -
suricata -S test.rule -r tcp.dump -l log/
I get the following alert -
{"timestamp":"2016-09-14T17:19:03.751812+0200","flow_id":1852470959,"pcap_cnt":7,"event_type":"alert","src_ip":"10.1.1.1","src_port":53455,"dest_ip":"10.1.1.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"http header test","category":"","severity":3},"http":{"hostname":"test.test","url":"\/site\/index.php\/admin\/pages\/update\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko\/20100101 Firefox\/43.0","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/test.test\/site\/index.php\/admin\/pages\/view-tree\/\/","length":2535},"payload":"UE9TVCAvc2l0ZS9pbmRleC5waHAvYWRtaW4vcGFnZXMvdXBkYXRlLyBIVFRQLzEuMQ0KSG9zdDogdGVzdC50ZXN0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBydjo0My4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzQzLjANCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44DQpBY2NlcHQtTGFuZ3VhZ2U6IHJ1LVJVLHJ1O3E9MC44LGVuLVVTO3E9MC41LGVuO3E9MC4zDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkNvb2tpZTogYmlndHJlZV9hZG1pbltlbWFpbF09dGVzdCU0MHRlc3Q7IGJpZ3RyZWVfYWRtaW5bbG9naW5dPSU1QiUyMnNlc3Npb24tNTdkOTUyYzU5NWEyMzQuMTE3OTA4ODIlMjIlMkMlMjJjaGFpbi01N2Q5MjIyNzdhMmFiOS4zNzQwMDI0NSUyMiU1RDsgUEhQU0VTU0lEPXA2MWMyZXR0azFndWo5Y3NzNGJuMXZ2cm4zOyBoaWRlX2JpZ3RyZWVfYmFyPTsgYmlndHJlZV9hZG1pbiU1QnBhZ2VfcHJvcGVydGllc19vcGVuJTVEPW9uDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LUxlbmd0aDogMjE2MA0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ik1BWF9GSUxFX1NJWkUiDQoNCjIwOTcxNTINCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iX2JpZ3RyZWVfcG9zdF9jaGVjayINCg0Kc3VjY2Vzcw0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJwYWdlIg0KDQotMScgT1IgKFNFTEVDVCBDT1VOVCgqKSBGUk9NIChTRUxFQ1QgMSBVTklPTiBTRUxFQ1QgMiBVTklPTiBTRUxFQ1QgMyl4IEdST1VQIEJZIENPTkNBVCh1c2VyKCksJ3wnLHZlcnNpb24oKSwnfCcsZGFUYWJhc2UoKSwnfCcsIEZMT09SKFJBTkQoMCkqMikpKSAtLSAgDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im5hdl90aXRsZSINCg0KVGhlIFRyZWVzDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InRpdGxlIg0KDQpUaGUgVHJlZXMNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0icHVibGlzaF9hdCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImV4cGlyZV9hdCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImluX25hdiINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InJlZGlyZWN0X2xvd2VyIg0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idHJ1bmsiDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJleHRlcm5hbCINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im5ld193aW5kb3ciDQoNClllcw0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJyZXNvdXJjZXNbcGFnZV9oZWFkZXJdIg0KDQpUaGUgVHJlZXMNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idGFnX2VudHJ5Ig0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0icm91dGUiDQoNCnRyZWVzDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InNlb19pbnZpc2libGUiDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJwdHlwZSINCg0KU2F2ZQ0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJtYXhfYWdlIg0KDQozDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InRlbXBsYXRlIg0KDQoNCi0tYjc4OGIwNDdiOGUzNDViNzkyY2RjMWY4MWZlZjIxMDYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ibWV0YV9rZXl3b3JkcyINCg0KDQotLWI3ODhiMDQ3YjhlMzQ1Yjc5MmNkYzFmODFmZWYyMTA2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im1ldGFfZGVzY3JpcHRpb24iDQoNCg0KLS1iNzg4YjA0N2I4ZTM0NWI3OTJjZGMxZjgxZmVmMjEwNi0tDQoNCg0KDQo=","payload_printable":"POST \/site\/index.php\/admin\/pages\/update\/ HTTP\/1.1\r\nHost: test.test\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko\/20100101 Firefox\/43.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=p61c2ettk1guj9css4bn1vvrn3; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on\r\nContent-Type: multipart\/form-data; boundary=b788b047b8e345b792cdc1f81fef2106\r\nContent-Length: 2160\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"_bigtree_post_check\"\r\n\r\nsuccess\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"page\"\r\n\r\n-1' OR (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3)x GROUP BY CONCAT(user(),'|',version(),'|',daTabase(),'|', FLOOR(RAND(0)*2))) -- \r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"nav_title\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"title\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"publish_at\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"expire_at\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"in_nav\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"redirect_lower\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"trunk\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"external\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"new_window\"\r\n\r\nYes\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"resources[page_header]\"\r\n\r\nThe Trees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"tag_entry\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"route\"\r\n\r\ntrees\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"seo_invisible\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"ptype\"\r\n\r\nSave\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"max_age\"\r\n\r\n3\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"template\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"meta_keywords\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106\r\nContent-Disposition: form-data; name=\"meta_description\"\r\n\r\n\r\n--b788b047b8e345b792cdc1f81fef2106--\r\n\r\n\r\n\r\n","stream":1,"packet":"CAAn+lcqCgAnAAAZCABFAAAoPHtAAIAGqFAKAQEBCgEBAtDPAFA0uVwItBARO1AQAQBxowAAAAAAAAAA"}
Updated by Roman Gavrilchenko over 7 years ago
- File eve.json eve.json added
- File not_see.pcapng not_see.pcapng added
- File ok.pcapng ok.pcapng added
I repeated your test and get another result (see eve.json in attach).
I also try using Snort and reproduce this problem. The Snort also not see POST requests with length >= 1520 bytes (not_see.pcapng).
Log for ok.pcapng:
09/19-16:22:00.615266 [**] [1:10000004:1] TCP test333 [**] [Priority: 0] {TCP} 10.1.1.1:59569 -> 10.1.1.2:80
Rule:
alert tcp any any -> $HOME_NET any (msg:"TCP test333"; content:"POST"; sid:10000004; rev:001;)
Version of Snort: 2.9.8.3 GRE (Build 383)
Perhaps my system is not configured correctly?
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Roman Gavrilchenko wrote:
Perhaps my system is not configured correctly?
Could you describe your system in more detail as well as your configuration?
Updated by Peter Manev over 7 years ago
- Assignee deleted (
Anonymous) - Target version deleted (
TBD)
Suricata sees it. (with both provided pcaps - not_see.pcapng / ok.pcapng)
test rule -
alert http any any -> any any (msg:"http POST test"; content:"POST"; http_method; sid:666;)
{"timestamp":"2016-09-19T15:21:01.519338+0200","flow_id":45595232,"pcap_cnt":8,"event_type":"alert","src_ip":"10.1.1.1","src_port":59565,"dest_ip":"10.1.1.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":666,"rev":0,"signature":"http POST test","category":"","severity":3},"http":{"hostname":"test.test","url":"\/site\/index.php\/admin\/pages\/update\/","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":306},"payload":"UE9TVCAvc2l0ZS9pbmRleC5waHAvYWRtaW4vcGFnZXMvdXBkYXRlLyBIVFRQLzEuMQ0KSG9zdDogdGVzdC50ZXN0DQpDb250ZW50LUxlbmd0aDogMTM3NA0KDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoNCg0KDQo=","payload_printable":"POST \/site\/index.php\/admin\/pages\/update\/ HTTP\/1.1\r\nHost: test.test\r\nContent-Length: 1374\r\n\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n","stream":1,"packet":"CAAn+lcqCgAnAAAMCABFAAAoQABAAIAGpMsKAQEBCgEBAuitAFBnr+l4IQsLqlARAP4x9gAAAAAAAAAA"}
Updated by Peter Manev over 7 years ago
Missed to update as well - it also works with the provided test rule in your case (both pcaps) -
alert tcp any any -> $HOME_NET any (msg:"TCP test333"; content:"POST"; sid:10000004; rev:001;)
cmd line:
/opt/suricataqa/suri311/bin/suricata -c /etc/suricata/suricata.yaml -S test.rule -r provided-from-user/ok.pcapng -l log/ -k none
{"timestamp":"2016-09-19T15:21:01.519338+0200","flow_id":45595232,"pcap_cnt":8,"event_type":"alert","src_ip":"10.1.1.1","src_port":59565,"dest_ip":"10.1.1.2","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":10000004,"rev":1,"signature":"TCP test333","category":"","severity":3},"http":{"hostname":"test.test","url":"\/site\/index.php\/admin\/pages\/update\/","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":306},"payload":"UE9TVCAvc2l0ZS9pbmRleC5waHAvYWRtaW4vcGFnZXMvdXBkYXRlLyBIVFRQLzEuMQ0KSG9zdDogdGVzdC50ZXN0DQpDb250ZW50LUxlbmd0aDogMTM3NA0KDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExDQoNCg0KDQo=","payload_printable":"POST \/site\/index.php\/admin\/pages\/update\/ HTTP\/1.1\r\nHost: test.test\r\nContent-Length: 1374\r\n\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n","stream":1,"packet":"CAAn+lcqCgAnAAAMCABFAAAoQABAAIAGpMsKAQEBCgEBAuitAFBnr+l4IQsLqlARAP4x9gAAAAAAAAAA"}
Updated by Roman Gavrilchenko over 7 years ago
Andreas Herz wrote:
Could you describe your system in more detail as well as your configuration?
The system is Ubuntu 1404 wich was installed on VirtualBox 5.1.6.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Roman Gavrilchenko wrote:
Andreas Herz wrote:
Could you describe your system in more detail as well as your configuration?
The system is Ubuntu 1404 wich was installed on VirtualBox 5.1.6.
How did you configure it? Any relevant changes? How do run suricata and can you paste your config?
Updated by Roman Gavrilchenko over 7 years ago
I resolved my problem by configurating the conf-file. Sorry for you time!
Updated by Victor Julien over 7 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
TBD)
Glad you got it figured out. Can you share what you changed to make it work? Might be helpful to others.