Bug #825
closed
http keywords not matching
Added by Laszlo Madarassy over 11 years ago.
Updated over 11 years ago.
Description
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)
But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?
Laszlo Madarassy wrote:
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)
But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)
Can you share a pcap(privately if you want) for testing?
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?
You can set a flowbit on the request rule and check if the flowbit is set on the response rule.
Hi,
Here is a capture file:
http://mik.bme.hu/~lmadarassy/suricata/http.cap
I want to match packets sent to/from 176.31.224.96:2710
Can you give me an easy example for this flowbit?
Thanks,
Laszlo
Anoop Saldanha wrote:
Laszlo Madarassy wrote:
Hi,
I want to alert detect and alert torrent tracker messages with suricata, but it seems they won't match. Torrent trackers usually are not on port 80, I don't wheather is it a problem or not.
This rule works:
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:10;)
But these rules do not match (tried both of them):
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:10;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:10;)
Can you share a pcap(privately if you want) for testing?
The http response is gzip compressed, so I need the http rule to able to match.
Btw, are there any method to match a http response belonging to a matched http request?
You can set a flowbit on the request rule and check if the flowbit is set on the response rule.
With your rules (I've given them unique sids):
alert tcp any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; sid:1;)
alert http any any -> any any (msg:"torrent tracker message v1"; flow:established,to_server; uricontent:"info_hash="; sid:2;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_uri; sid:3;)
alert http any any -> any any (msg:"torrent tracker message v1"; content:"info_hash="; http_raw_uri; sid:4;)
I get alerts on all 4:
06/17/2013-14:16:49.672505 [**] [1:4:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505 [**] [1:3:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505 [**] [1:2:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
06/17/2013-14:16:49.672505 [**] [1:1:0] torrent tracker message v1 [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.27.3:28417 -> 176.31.224.96:2710
I started suri as follows:
suricata -c suricata.yaml -r http.cap -S local.rules
What is interesting though, is that only one http session is logged, while there are several in the file. @Anoop, can you check this?
- Assignee set to Anoop Saldanha
Looks right. Other than 1 flow, rest of the flows have missing handshakes.
- Assignee deleted (
Anoop Saldanha)
@Laszlo
alert tcp ..... (content:"one"; http_uri; flowbits:set,request_seen; sid:1;)
alert tcp ..... (content:"two"; http_server_body; flowbits:isset,request_seen; sid:2;)
If you don't want the first sig to alert you can add a flowbits:noalert;
- Status changed from New to Closed
@anoop: ack, missed that. Sorry for the noise.
Closing the ticket as all seems well.
Also available in: Atom
PDF