Bug #192: False Negatives when processing the attached pcaps and rules containing http traffic. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #192

closed

False Negatives when processing the attached pcaps and rules containing http traffic.

Added by Will Metcalf almost 14 years ago. Updated almost 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Pablo Rincon

Target version:

1.0.0

Affected Versions:

Effort:

Difficulty:

Label:

Description

Processing all of the attached pcaps and rules (all contain one or two rules and a generally on or two tcp sessions). These all appear to be valid http sessions but we don't seem to properly identify them as http traffic or fire on the attached rules. Snort however does.

src/suricata -c suricata.yaml -s 2008396.rule -r 2008396.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2008469.rule -r 2008469.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009237.rule -r 2009237.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009354.rule -r 2009354.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009471.rule -r 2009471.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009526.rule -r 2009526.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009539.rule -r 2009539.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2010973.rule -r 2010973.pcap -l ./ not seen as valid http

all result in ...

[18172] 28/6/2010 -- 19:55:07 - (alert-fastlog.c:255) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[18172] 28/6/2010 -- 19:55:07 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[18172] 28/6/2010 -- 19:55:07 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0

Files

missed-detection.tar.gz (8 KB) missed-detection.tar.gz

missed detection pcaps and rules

Will Metcalf, 06/28/2010 06:50 PM