Project

General

Profile

Actions

Bug #708

open

Flow vars issue in pcap file mode

Added by Eric Leblond almost 10 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following signatures should allow to detect non HTTP traffic on port 80:

alert http any any -> any any (msg: "Set flag_http"; \
flowbits: set, flag_http;\
noalert; \
sid:6; rev:1;)
#
alert tcp any any -> any 80 (msg: "Increment flag"; \
flowint: cnt, +, 1; \
flowbits: isnotset, flag_http; \
noalert; \
sid: 7; rev:1;)
#
alert tcp any any -> any 80 (msg: "Non HTTP on port 80"; \
flowint: cnt, >, 5; \
flowbits: isnotset, flag_http; \
flowbits: set, flag_http;\
sid: 8; rev:1;)

On some systems (FC14 dual core) this is not working correctly with alert firing for both attached files.
This should not alert:

suricata -S not-http-port-80.rules -r 80-http.pcap

This should alert once:

suricata -S not-http-port-80.rules -r 80-no-http.pcap

On the faulty systems, switching to runmode single by adding --runmode=single on command line fixes the issue.


Files

80-http.pcap (244 KB) 80-http.pcap Eric Leblond, 01/12/2013 05:14 AM
80-no-http.pcap (1.04 KB) 80-no-http.pcap Eric Leblond, 01/12/2013 05:14 AM
not-http-port-80.rules (405 Bytes) not-http-port-80.rules Eric Leblond, 01/12/2013 05:14 AM
Actions

Also available in: Atom PDF