Suricata

Laszlo Madarassy wrote:

Hi,

I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)

But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)

Can you share a pcap(privately if you want) for testing?

The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?

You can set a flowbit on the request rule and check if the flowbit is set on the response rule.

Hi,

Here is a capture file:
http://mik.bme.hu/~lmadarassy/suricata/http.cap

I want to match packets sent to/from 176.31.224.96:2710

Can you give me an easy example for this flowbit?

Thanks,
Laszlo

Anoop Saldanha wrote:

Laszlo Madarassy wrote:

Hi,

I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)

But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)

Can you share a pcap(privately if you want) for testing?

The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?

You can set a flowbit on the request rule and check if the flowbit is set on the response rule.

With your rules (I've given them unique sids):

alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:1;)
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:2;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:3;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:4;)

I get alerts on all 4:

06/17/2013-14:16:49.672505  [**] [1:4:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:3:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:2:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505  [**] [1:1:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710

I started suri as follows:

suricata -c suricata.yaml -r http.cap -S local.rules

What is interesting though, is that only one http session is logged, while there are several in the file. @Anoop, can you check this?

Looks right. Other than 1 flow, rest of the flows have missing handshakes.