Project

General

Profile

Actions

Bug #239

closed

Regression this signature and pcap should generate an alert but doesn't.

Added by Will Metcalf about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Processing the attached pcap and the following rule should generate an alert. However it does not and no http requests are logged, this fails across all platforms.

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)

suricata -r /pcaps/tests/suricata200.pcap -s /testscripts/suricata200.rules -l /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/src/ -c /testresults/2010-11-02-09-49-22/Ubuntu-10.04-LTS-64-bit/oisf/suricata.yaml

[14838] 2/11/2010 -- 11:18:54 - (stream-tcp.c:2882) <Info> (StreamTcpExitPrintStats) -- (Decode & Stream) Packets 9
[14842] 2/11/2010 -- 11:18:54 - (alert-fastlog.c:304) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[14842] 2/11/2010 -- 11:18:54 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[14842] 2/11/2010 -- 11:18:54 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0

Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
[Message: HTTP/1.1 200 OK\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Response Code: 200
Date: Mon, 21 Sep 2009 13:48:50 GMT\r\n
Server: Apache\r\n
Last-Modified: Mon, 15 Jan 2007 23:11:55 GMT\r\n
ETag: "9b30607-27-45ac0a3b"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 39\r\n
[Content length: 39]
Keep-Alive: timeout=2, max=200\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html\r\n
\r\n
Line-based text data: text/html
uid=0(root) gid=0(root) groups=0(root)\n


Files

suricata200.pcap (1.15 KB) suricata200.pcap testmyids.com visit pcap Will Metcalf, 11/02/2010 10:02 AM
Actions #1

Updated by Anoop Saldanha about 14 years ago

  • Assignee changed from OISF Dev to Anoop Saldanha
Actions #2

Updated by Anoop Saldanha about 14 years ago

  • Estimated time changed from 2.50 h to 1.00 h

The current behaviour looks okay. The 4th toserver packet's tcp csum is wrong. That screws stream reassembly and subsequently no smsgs are available for stream mpm, since we set the stream_mpm packet flag for the subsequent packets. Changing the conf param "checksum_validation:" to "no", gives you the alert.

Actions #3

Updated by Victor Julien about 14 years ago

  • Status changed from New to Closed

Agreed. Closing this ticket.

Actions

Also available in: Atom PDF