Bug #825
closedhttp keywords not matching
Description
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)
But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?
Updated by Anoop Saldanha over 11 years ago
Laszlo Madarassy wrote:
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)
Can you share a pcap(privately if you want) for testing?
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?
You can set a flowbit on the request rule and check if the flowbit is set on the response rule.
Updated by Laszlo Madarassy over 11 years ago
Hi,
Here is a capture file:
http://mik.bme.hu/~lmadarassy/suricata/http.cap
I want to match packets sent to/from 176.31.224.96:2710
Can you give me an easy example for this flowbit?
Thanks,
Laszlo
Anoop Saldanha wrote:
Laszlo Madarassy wrote:
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)Can you share a pcap(privately if you want) for testing?
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?You can set a flowbit on the request rule and check if the flowbit is set on the response rule.
Updated by Victor Julien over 11 years ago
With your rules (I've given them unique sids):
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:1;) alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:2;) alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:3;) alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:4;)
I get alerts on all 4:
06/17/2013-14:16:49.672505 [**] [1:4:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710 06/17/2013-14:16:49.672505 [**] [1:3:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710 06/17/2013-14:16:49.672505 [**] [1:2:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710 06/17/2013-14:16:49.672505 [**] [1:1:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
I started suri as follows:
suricata -c suricata.yaml -r http.cap -S local.rules
What is interesting though, is that only one http session is logged, while there are several in the file. @Anoop, can you check this?
Updated by Anoop Saldanha over 11 years ago
Looks right. Other than 1 flow, rest of the flows have missing handshakes.
Updated by Anoop Saldanha over 11 years ago
- Assignee deleted (
Anoop Saldanha)
@Laszlo
alert tcp ..... (content:"one"; http_uri; flowbits:set,request_seen; sid:1;)
alert tcp ..... (content:"two"; http_server_body; flowbits:isset,request_seen; sid:2;)
If you don't want the first sig to alert you can add a flowbits:noalert;
Updated by Victor Julien over 11 years ago
- Status changed from New to Closed
@anoop: ack, missed that. Sorry for the noise.
Closing the ticket as all seems well.