Hello everyone, i’m tried testing pcap file record from Wireshark but there are no result. Live test is give me Alerts but when i using the pcap it’s no result. Please help. Thanks you
Here is my Rule, Live Result and Pcap File:
Rules: alert tcp any any → any any (msg:“TEST Directory traversal “; http.uri.raw; content:”%2e%2e%2f”; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
test.pcap (188.5 KB)
Hi!
Which version of suricata are you using?
Are you sure your rule is being loaded successfully by suricata (this can be verified by suricata.log)?
The following signatures work for me with the pcap you shared.
alert http any any → any any (msg:“TEST Directory Traversal”; flow:established,to_server; http.uri.raw; content:“|25 32 65 25 32 65 25 32 66|”; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any → any any (msg:“TEST Directory traversal”; http.uri.raw; content:“%2e%2e%2f”; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
A couple notes:
Suricata is able to detect http traffic reasonably well, you can use the http protocol (instead of tcp in your signature). This may also make the signature perform a bit better as well.
If there is encoding present, in this case URI encoding (%2e%2e), it is usually best to represent this in the signature as hex since that is what is seen on the wire.
Hope that helps
JT
Thanks for your repply.
1 - Which version i used: 6.0.2
2 - My rule is loadded and no error syntax, testing with offline mode but when i try tcpreplay this pcap there are no result: tcpreplay -x 4 ens33 test.pcap (tail -f eve.json showing traffic on going but no alerts on it or on fast.log)
3 - Re test with enable ET Open Ruleset and my Custom Rule showing only this Alerts and no result with name “TEST Directory traversal”
Are you able to share your logs? How are you starting suricata? How are you determining your rule is being loaded along with the others?
When testing signatures it is sometimes easier to use suricata in replay mode (-r), an example is in this discussion, How to run suricata to check whether the rules I wrote for a certain pcap file are correct
JT
I figure out, there are option checksum packet on suricata command and in suricata.yaml => disable it and using tcpreplay or reading pcap from suricata is fine. Can you explain more about checksum ???, should i disable it on suricata.yaml in production enviroment for monitor traffic???. Thanks you very much
Example in suricata.yaml
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: Suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'capture.checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
I am not entirely sure what the scenarios are for leaving the checksum evaluation in place. In my experience, I have always turned it off due to packet handling within the evironments I have run suricata in. from the command line I run replay mode (-r) with -k none which turns checksum evaluation off.
Perhaps one of the OISF folks or others will chime in for more information on checksum usage.
JT