Bug #239
closedRegression this signature and pcap should generate an alert but doesn't.
Description
Processing the attached pcap and the following rule should generate an alert. However it does not and no http requests are logged, this fails across all platforms.
alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)
suricata -r /pcaps/tests/suricata200.pcap -s /testscripts/suricata200.rules -l /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/src/ -c /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/suricata.yaml
[14838] 2/11/2010 -- 11:18:54 - (stream-tcp.c:2882) <Info> (StreamTcpExitPrintStats) -- (Decode & Stream) Packets 9
[14842] 2/11/2010 -- 11:18:54 - (alert-fastlog.c:304) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[14842] 2/11/2010 -- 11:18:54 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[14842] 2/11/2010 -- 11:18:54 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
[Message: HTTP/1.1 200 OK\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Response Code: 200
Date: Mon, 21 Sep 2009 13:48:50 GMT\r\n
Server: Apache\r\n
Last-Modified: Mon, 15 Jan 2007 23:11:55 GMT\r\n
ETag: "9b30607-27-45ac0a3b"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 39\r\n
[Content length: 39]
Keep-Alive: timeout=2, max=200\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html\r\n
\r\n
Line-based text data: text/html
uid=0(root) gid=0(root) groups=0(root)\n
Files
Updated by Anoop Saldanha about 14 years ago
- Assignee changed from OISF Dev to Anoop Saldanha
Updated by Anoop Saldanha about 14 years ago
- Estimated time changed from 2.50 h to 1.00 h
The current behaviour looks okay. The 4th toserver packet's tcp csum is wrong. That screws stream reassembly and subsequently no smsgs are available for stream mpm, since we set the stream_mpm packet flag for the subsequent packets. Changing the conf param "checksum_validation:" to "no", gives you the alert.
Updated by Victor Julien about 14 years ago
- Status changed from New to Closed
Agreed. Closing this ticket.