Hi Herz,
When I changed the config in suricata.yaml and enable below config, I am able to see the http attack for start few attack and after that i cant see the attack as well as when i am restarting the Suricata service i can see below attack responce but when i restart the Suricata services.
I don’t whats happening in Suricata machine and what need to be Change in Suricata for this issue.
02/14/2022-08:16:47.154977 [] [1:2221010:1] SURICATA HTTP unable to match response to request [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.10.139.204:8080 → 157.34.218.213 :55641
02/14/2022-08:16:47.154977 [] [1:2002034:12] ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) [] [Classification: Information Leak] [Priority: 2] {TCP} 209.10.139.204:8080 → 157.34.218.21 :55641
02/14/2022-08:16:47.839147 [] [1:2221010:1] SURICATA HTTP unable to match response to request [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.10.139.204:8080 → 157.34.218.213 :55640
02/14/2022-08:16:47.839147 [] [1:2002034:12] ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) [] [Classification: Information Leak] [Priority: 2] {TCP} 209.10.139.204:8080 → 157.34.218.21 :55640
02/14/2022-08:16:47.872610 [] [1:2019232:7] ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 157.34.218.213 :55638 → 209.10.139.204:8080
stream :
memcap : 512mb
checksum-validation : no # reject wrong csums
inline : no # auto will use inline mode in IPS mode, yes or no set it statically
midstream : true
async-oneside : true
Can you please help what we can change in suricata.yaml file.
Cheers,
Ajeet S