Project

General

Profile

Actions
Copy link

Bug #192

closed

False Negatives when processing the attached pcaps and rules containing http traffic.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pablo Rincon
Target version:
1.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

Processing all of the attached pcaps and rules (all contain one or two rules and a generally on or two tcp sessions). These all appear to be valid http sessions but we don't seem to properly identify them as http traffic or fire on the attached rules. Snort however does.

src/suricata -c suricata.yaml -s 2008396.rule -r 2008396.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2008469.rule -r 2008469.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009237.rule -r 2009237.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009354.rule -r 2009354.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009471.rule -r 2009471.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009526.rule -r 2009526.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2009539.rule -r 2009539.pcap -l ./ not seen as valid http
src/suricata -c suricata.yaml -s 2010973.rule -r 2010973.pcap -l ./ not seen as valid http

all result in ...

[18172] 28/6/2010 -- 19:55:07 - (alert-fastlog.c:255) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0
[18172] 28/6/2010 -- 19:55:07 - (alert-unified2-alert.c:603) <Info> (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts
[18172] 28/6/2010 -- 19:55:07 - (log-httplog.c:396) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0

Files

missed-detection.tar.gz (8 KB) missed-detection.tar.gz missed detection pcaps and rules Will Metcalf, 06/28/2010 06:50 PM
Actions
Copy link

Also available in: Atom PDF