Bug #192

False Negatives when processing the attached pcaps and rules containing http traffic.

Added by Will Metcalf almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:06/28/2010
Priority:NormalDue date:06/29/2010
Assignee:Pablo Rincon% Done:

100%

Category:-Estimated time:4.00 hours
Target version:1.0.0

Description

Processing all of the attached pcaps and rules (all contain one or two rules and a generally on or two tcp sessions). These all appear to be valid http sessions but we don't seem to properly identify them as http traffic or fire on the attached rules. Snort however does.

src/suricata -c suricata.yaml -s 2008396.rule -r 2008396.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2008469.rule -r 2008469.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009237.rule -r 2009237.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009354.rule -r 2009354.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009471.rule -r 2009471.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009526.rule -r 2009526.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009539.rule -r 2009539.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2010973.rule -r 2010973.pcap -l ./ not seen as valid http

all result in ...

[18172] 28/6/2010 -- 19:55:07 - (alert-fastlog.c:255) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[18172] 28/6/2010 -- 19:55:07 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[18172] 28/6/2010 -- 19:55:07 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0

missed-detection.tar.gz - missed detection pcaps and rules (8 KB) Will Metcalf, 06/28/2010 06:50 PM

History

#1 Updated by Victor Julien almost 4 years ago

  • Assignee changed from OISF Dev to Pablo Rincon
  • Estimated time changed from 2.50 to 4.00

#2 Updated by Will Metcalf almost 4 years ago

Seems that all of these are fixed in the current master or we now have an explanation for missed detection with the exception of following sid.

2009471

We still seem to miss on this rule, when it appears to me that we should fire.

#3 Updated by Victor Julien almost 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Please open a new ticket for the 2009471 issue.

The http parsing problem causing the other sigs to fail is fixed so closing this bug.

Also available in: Atom PDF