Bug #463: Suricata not fire on http reply detect if request are not http - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #463

closed

Suricata not fire on http reply detect if request are not http

Added by rmkml rmkml almost 12 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

2.0beta2

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
ok Im continue my Suricata testing, first, send this traffic (Secure...) on http connection:
telnet www.microsoft.com 80 # sorry
Trying 65.55.57.80...
Connected to www.microsoft.com.
Escape character is '^]'.
C->S: Secure * Secure-HTTP/1.4
S->C: HTTP/1.1 400 Bad Request
...
-> ok Im send unknown "Secure" http method and wrong uri and bad http version...

next, use only two Suricata signatures:
not fire:
alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established; content:"400"; http_stat_code; classtype:web-application-attack; sid:11; rev:1;)
fire:
alert tcp any 80 -> any any (msg:"test2"; flow:to_client,established; content:" 400 Bad Request"; nocase; classtype:web-application-attack; sid:12; rev:1;)

ok: http request side are not http
but http reply side are http: why suricata not fire please? (of course snort fire with same sigs)

Tested on suricata git at 16 May 2012. same results with v1.2.1.
Joigned a pcap for example.
Regards
Rmkml

Files

http400.pcap (1.13 KB) http400.pcap

rmkml rmkml, 05/19/2012 03:36 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #463

Suricata not fire on http reply detect if request are not http

Updated by Anoop Saldanha almost 12 years ago

Updated by Victor Julien almost 12 years ago

Updated by Victor Julien over 11 years ago

Updated by Victor Julien over 11 years ago

Updated by Victor Julien over 11 years ago

Updated by Anoop Saldanha over 10 years ago