Some match bypass?

Rules
1

Dear Doctor:
i had a problem in rule matching.
my rule is
alert http any any → any any (msg:“test”; flow:to_client; http.stat_code; content:“200”; sid:1111111;)

my suricata version 6.0.1 RELEASE
my suricata.yaml :
stream:
midstream: yes
memcap: 64mb
checksum-validation: no
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 1024
toclient-chunk-size: 1024
randomize-chunk-size: yes

my command:
suricata -r ./landray.pcap -v -c ./suricata.yaml

it doesn’t mactch …
landray.pcap (379.6 KB)

Looking forward to hearing from you

2

Hi leezp,

I could be wrong, but I don’t think there’s an issue with your rule. Rather, it seems to be something with that pcap. I have tried running your rule against that pcap and against live traffic, and I do get alerts from Suricata when it’s inspecting live traffic, but no alerts or even http event types show up in my logs when I run Suricata to inspect that provided pcap.

Unfortunately, my knowledge is limited, still, so I can’t explain why doesn’t that pcap generate alerts. I would just recommend you to test your rule against other pcap, or with live traffic. If you do, please share the resulting output log from eve.json or fast.log! :slight_smile:

Best regards,
Juliana

3

Hi,

I tried looking at some of the http streams and I cannot see the SYN packets for most of them. Looks like the pcap has http coming over long running, reused, TCP sessions.
I would assume that midstream: yes would pick it up but seems like that is not the case.

Are you testing on live traffic or packet capture?
Is the traffic sent from some other TLS inspection box for instance that might mangle it a bit?

There are some streams with SYN packets (for instance tcp.stream eq 74 in wireshark), but the first packets in the stream do not look like http at all.

You might also need to change the http port variables since non-standard ones are in use in the pcap.

4

who can debug with my pcap and config file,i want to know where and why the problem will happen?

5

i tried live mode.
my command is ‘suricata -i eth0 -v -c /etc/suricata/suricata.yaml -k none -l ./log’

‘tcpreplay -i eth0 -M 100 landray.pcap’
my rule is
alert http any any → any any (msg:“test”; flow:to_client; http.stat_code; content:“200”; sid:1111111;)
but there is no alert.
eve.json (24.5 KB)

7

It looks like Suricata isn’t identifying these packets as HTTP. In one flow that I looked at with an HTTP response, there is some data before the start of the HTTP request which could be causing this. Is there any not-normal about your configuration, or the traffic you are monitoring that you may be aware of?

8

how can i fix the pcap file ?

9

It probably can’t be fixed, and we don’t know enough about the source of this pcap. As syoc mentioned, could it be from a TLS inspection box that re-generates non-TLS versions of the traffic?

10

another issue:
‘http.uri’ doesn’t work!
alert http any any → any any (msg:“test2”; http.uri; content:"/…/conf/config.properties";sid:80000;)

my suricata version 6.0.1 RELEASE
my suricata.yaml :
stream:
midstream: yes
memcap: 64mb
checksum-validation: no
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 1024
toclient-chunk-size: 1024
randomize-chunk-size: yes

my command:
suricata -r ./lanproxy-cve-2021-3019-lfi.pcap -v -c ./suricata.yaml

but this rule can produce an alert :
lanproxy-cve-2021-3019-lfi.pcap (9.1 KB)

alert http any any → any any (msg:“test2”; content:"/…/conf/config.properties";sid:80000;)

11

Dear Doctor:
by the way , can you give me an example of http2 rules like ‘alert http2 any any → any any (…)’

12

Hi,

jumping in again, thought I could help with some alert http2 any any -> any any rules examples from our Suricata-verify tests :slight_smile:

In the http2-keywords test, there is a rule that uses http.uri:

Here, other examples of rules:

There are some other tests, too, in which you can find possibly useful material. Hope they’ll be of help!

13

thank you very much!

14

3/8/2021 – 14:47:58 - - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - can’t set rule app proto to http: already set to http2

my suricata version 6.0.1 RELEASE

15

Hi leezp,

Sorry for the late reply. So, I tried running those rules and didn’t get this error you’ve shared. Did it fire with the rule you quoted?

Regarding http.uri not working, could you be more specific on what do you mean by that? Do you see any errors?

Thanks for providing the info to let us understand the issues better!

16

how to compile an edition with lua support and how to config it , please

17

How to analyze the difference of payload between two consecutive packets using suricata rules or lua script

18

Hi leezp,

in order to enable lua support, you’ll need to run the configure option
--enable-lua

If your system doesn’t have the preferred lua version (lib lua5.1), Suricata will complain and point out to how to solve it.

19

my suricata.yaml

  • lua:
    enabled: yes
    scripts-dir: /home/suricata/rules/test
    scripts:
    - script1.lua

my rules:
alert dns any any → any any (msg:“test lua”; lua:test/script1.lua; sid:112223;)

my script1.lua:
function init()
local needs = {}
needs[“type”] = “packet”
needs[“filter”] = “alerts”
return needs
end

function setup()
alert_count = 0
end

function log()
timestring = SCPacketTimeString()
sid, rev, gid = SCRuleIds()
msg = SCRuleMsg()
class, priority = SCRuleClass()

ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCPacketTuple()

if class == nil then
    class = "unknown"
end

print (timestring .. "  [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
       msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
       priority .. "] {" .. protocol .. "} " ..
       src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)

alert_count = alert_count + 1;

end

function deinit()
print (“Alerted " … alert_count … " times”);
end

errored:
- [ERRCODE: SC_ERR_LUA_ERROR(212)] - unsupported data type type

20

So, I’m not an expert with lua scripts, but from what I could gather, it’s not the lua support that is not working.

I tried a similar version of your script with a local suricata verify test, and that worked. When I tried to use it with suri in live mode, it didn’t seem to work, so… I don’t know. I’m appending my script to the end of this answer.

The error suggests that Suricata doesn’t recognize the keyword type in your script’s specific context. It could be some small typo somewhere or a wrong symbol, or it can also be that the combination you’re using doesn’t work in the way you want to use it.

Right now, I’m unable to offer more help with this…


my script:

function init(args)
    local needs = {}
    needs["type"] = "packet"
    needs["filter"] = "alerts"
    return needs
end

function setup(args)
    alert_count = 0 
end

function log(args)
    timestring = SCPacketTimeString()
    sid, rev, gid = SCRuleIds()
    msg = SCRuleMsg()
    class, priority = SCRuleClass()
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCPacketTuple()

    if class == nil then
        class = "unknown"
    end 

    print (timestring .. "  [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
        msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
        priority .. "] {" .. protocol .. "} " ..
        src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)
    alert_count = alert_count + 1
end

function deinit(args)
    print ("Alerted " .. alert_count .. " times");
end
21

how to save request and response payload in an alert of eve.json.
i experimented but only get one-direction log.
such as
image
i only get “530 User cannot log in.\r\n221 Goodbye.”