Flow vars issue in pcap file mode
The following signatures should allow to detect non HTTP traffic on port 80:
alert http any any -> any any (msg: "Set flag_http"; \ flowbits: set, flag_http;\ noalert; \ sid:6; rev:1;) # alert tcp any any -> any 80 (msg: "Increment flag"; \ flowint: cnt, +, 1; \ flowbits: isnotset, flag_http; \ noalert; \ sid: 7; rev:1;) # alert tcp any any -> any 80 (msg: "Non HTTP on port 80"; \ flowint: cnt, >, 5; \ flowbits: isnotset, flag_http; \ flowbits: set, flag_http;\ sid: 8; rev:1;)
On some systems (FC14 dual core) this is not working correctly with alert firing for both attached files.
This should not alert:
suricata -S not-http-port-80.rules -r 80-http.pcap
This should alert once:
suricata -S not-http-port-80.rules -r 80-no-http.pcap
On the faulty systems, switching to runmode single by adding
--runmode=single on command line fixes the issue.
Updated by Anoop Saldanha over 9 years ago
would the above set of rules work? As in sig 7 will be run for every packet heading in the port 80 direction, which means all the syn retransmissions as well, which is why you are seeing alerts for 80-http.pcap as well. You can see a fair bit of FPs.
Unable to reproduce the single vs autofp thing you are noticing. See an alert. I have an update to the engine, which might be a fix, but single vs autofp in this case should virtually be the same thing. Let me check in some detail next.
On an unrelated note, we should probably support
alert !<protocol> ....
which should be more reliable.
Updated by Andreas Herz about 6 years ago
I can reproduce it but in the first case I receive
6/9/2016 -- 23:57:31 - <Warning> - [ERRCODE: SC_ERR_INVALID_CHECKSUM(11)] - 1/1th of packets have an invalid checksum, consider setting pcap-file.checksum-checks variable to no or use '-k none' option on command line.
So when I start it with "-k none" the alert won't trigger. So still a bug or working as expected in that case?