Project

General

Profile

Actions
Copy link

Bug #457

closed

FN with suricata git version 24apr2012 ?

Added by rmkml rmkml almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts
3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS > 80
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml

Files

404.pcap (1.38 KB) 404.pcap rmkml rmkml, 04/25/2012 09:41 AM
Actions
Copy link
 #1

Updated by Anoop Saldanha almost 12 years ago

rmkml rmkml wrote:

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts

alerts for me. I am testing it on the latest master

3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS > 80
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml

Actions
Copy link
 #2

Updated by Anoop Saldanha almost 12 years ago

Anoop Saldanha wrote:

rmkml rmkml wrote:

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts

alerts for me. I am testing it on the latest master

correction. testing it on April 24th's commit i.e.

commit ad36d55771caa737af4ac4e87d243089b29b36c2
Author: Anoop Saldanha <>
Date: Fri Apr 20 10:57:11 2012 +0530

code cleanup - indentation fix

3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS > 80
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml

Actions
Copy link
 #3

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.3beta2

So this issue is fixed in the master?

Actions
Copy link
 #4

Updated by Victor Julien almost 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Got confirmation it is.

Actions
Copy link

Also available in: Atom PDF