Bug #457: FN with suricata git version 24apr2012 ? - Suricata - Open Information Security Foundation

Actions

#1

Updated by Anoop Saldanha over 12 years ago

rmkml rmkml wrote:

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts

alerts for me. I am testing it on the latest master

3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS ~~> 80~~
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml

Actions

Copy link

#2

Updated by Anoop Saldanha over 12 years ago

Anoop Saldanha wrote:

rmkml rmkml wrote:

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts

alerts for me. I am testing it on the latest master

correction. testing it on April 24th's commit i.e.

commit ad36d55771caa737af4ac4e87d243089b29b36c2
Author: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Fri Apr 20 10:57:11 2012 +0530

code cleanup - indentation fix

3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS ~~> 80~~
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml