Project

General

Profile

Actions

Bug #6560

open

Suricata can’t output response when meet a tcp retransmission after a response

Added by chris tang about 1 year ago. Updated almost 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue

Description

detail sees also in https://forum.suricata.io/t/suricata-cant-output-response-when-meet-a-tcp-retransmission-after-a-response/4160
build-info

Please include the following information with your help request:

Suricata version
7.0.1
Operating system and/or Linux distribution
ubuntu 20.04
How you installed Suricata (from source, packages, something else)
source

repro step:
1.build suricata with pfring(other config keeps default)

2.run suricata with default config except pfring:

pfring:
- interface: enp132s0f0
threads: 32
cluster-id: 99
cluster-type: cluster_flow
bypass: yes
checksum-checks: no

3.edit one rule:

alert http any any -> any any ( msg:".svn info leak"; http.method; content:"GET"; flow:to_server,established; flowbits:set,svn_entries_information_leak; http.uri; content:"|2e|svn|2f|entries"; nocase; classtype: information-leakage; sid:1; rev:1;)

4.run suricata -c /path/to/config.yaml --pfring=enp132s0f0 -S /path/to/rule

5.replay the pcap(see attachment) to enp132s0f0, or open pcap file by suricata with -r args.

then i’ll got a alert without http response header.


Files

repo.zip (2.51 MB) repo.zip chris tang, 11/21/2023 03:01 AM
Actions #1

Updated by Victor Julien almost 1 year ago

  • Target version changed from 7.0.2 to TBD
Actions

Also available in: Atom PDF