Bug #1548
closedfile_data issue
Description
Using Suricata 2.0.8
The following rule does not match on the attached pcap:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; classtype:attempted-user; sid:444446; rev:1;)
Removing file_data will correctly match the pcap:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; classtype:attempted-user; sid:444447; rev:1;)
I think relevant yaml excerpts (let me know if more are needed), played with these values quite a bit...:
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 0
response-body-limit: 0
#inspection limits
request-body-minimal-inspect-size: 16kb
request-body-inspect-window: 16kb
response-body-minimal-inspect-size: 5mb
response-body-inspect-window: 5mb
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: no # no inline mode
reassembly:
memcap: 64mb
depth: 5mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
Files