Bug #463
closedSuricata not fire on http reply detect if request are not http
Description
Hi,
ok Im continue my Suricata testing, first, send this traffic (Secure...) on http connection:
telnet www.microsoft.com 80 # sorry
Trying 65.55.57.80...
Connected to www.microsoft.com.
Escape character is '^]'.
C->S: Secure * Secure-HTTP/1.4
S->C: HTTP/1.1 400 Bad Request
...
-> ok Im send unknown "Secure" http method and wrong uri and bad http version...
next, use only two Suricata signatures:
not fire:
alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established; content:"400"; http_stat_code; classtype:web-application-attack; sid:11; rev:1;)
fire:
alert tcp any 80 -> any any (msg:"test2"; flow:to_client,established; content:" 400 Bad Request"; nocase; classtype:web-application-attack; sid:12; rev:1;)
ok: http request side are not http
but http reply side are http: why suricata not fire please? (of course snort fire with same sigs)
Tested on suricata git at 16 May 2012. same results with v1.2.1.
Joigned a pcap for example.
Regards
Rmkml
Files
Updated by Anoop Saldanha over 12 years ago
- Assignee set to Anoop Saldanha
Would be fixed with our protocol detection improvements
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Target version changed from 1.4 to 1.4beta3
Updated by Victor Julien about 12 years ago
- Target version changed from 1.4beta3 to 1.4rc1
Updated by Victor Julien almost 12 years ago
- Target version changed from 1.4rc1 to 2.0rc2
Updated by Anoop Saldanha about 11 years ago
- Status changed from Assigned to Closed
- Target version changed from 2.0rc2 to 2.0beta2