Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: add test for 'unseen' http midstream packets - v2 #877

Closed
wants to merge 1 commit into from
Closed

test: add test for 'unseen' http midstream packets - v2 #877

wants to merge 1 commit into from

Conversation

jufajardini
Copy link
Contributor

Previous PR: #763

Describe changes:

  • redid the sv tests, as after reviewing it didn't seem that the first version was actually showing anything useful
  • now we have two tests, one with each shared pcap. 01 shows the unseen http packets behavior, 02 shows how Suri is able to identify them when part of a larger stream.

** To note **
I was not able to get Suri to log the payload, in any of the tests.
I also did not manage to get alerts with the rule shared on the Discord chat, nor with another sid that showed up in one of the logs shared by them...

Redmine ticket: Bug #5437

@jufajardini
tests: add test for unseen http midstream traffic
c2c34fe 
In a pcap where just a `http` midstream traffic packets are seen, Suri is
unable to see those as `http` packets (Wireshark tags them correctly).

This also seems to result in Suri sometimes not adding the packet
payload to the associated alert event in the eve-log.

`unseen-http-stream-01` has the pcap where http packets are not seen
`unseen-http-stream-02` has a more complete pcap, where the same packets
are properly identified by Suri

Related to
Bug #5437
@jufajardini jufajardini mentioned this pull request Jul 8, 2022
Closed
@catenacyber
Copy link
Collaborator

Should not CI fail until ticket is resolved ?

@jufajardini
Copy link
Contributor Author

Should not CI fail until ticket is resolved ?

You're right, I wasn't sure how to proceed with the creation of this test, tbh.
Maybe I could add a check for the payload field? 🤔

@catenacyber
Copy link
Collaborator

You're right, I wasn't sure how to proceed with the creation of this test, tbh. Maybe I could add a check for the payload field? 🤔

I had not looked into the ticket yet.
Now that I read it, I am not sure I understand the issue...

If this is about the payload field, I think there are other open issues about it already...

@jufajardini
Copy link
Contributor Author

You're right, I wasn't sure how to proceed with the creation of this test, tbh. Maybe I could add a check for the payload field? thinking

I had not looked into the ticket yet. Now that I read it, I am not sure I understand the issue...

If this is about the payload field, I think there are other open issues about it already...

The payload field may be a side effect. The issue is that there's some http traffic in the anonymized pcap that is not being picked as http by Suri, even if we pass stream.midstream=true.

I said I think you are right because I thought that we should have a test that is able to show that Suri has this bug. But I wasn't able to...

@catenacyber
Copy link
Collaborator

Am I understanding correctly that you do not manage to reproduce the bug described in the redmine ticket https://redmine.openinfosecfoundation.org/issues/5437 ?

Do I read correctly the redmine ticket that the bug is that some flows do not have app-layer: http ? These flows do not have 3way handshake but suricata uses stream.midstream=true

@catenacyber catenacyber marked this pull request as draft August 24, 2022 12:25
@jufajardini
Copy link
Contributor Author

Am I understanding correctly that you do not manage to reproduce the bug described in the redmine ticket https://redmine.openinfosecfoundation.org/issues/5437 ?

The part I was not able to reproduce is the have payload to be printed. In both tests, that is not shown in these tests, while apparently it should be seen for the full pcap (test 02)

Do I read correctly the redmine ticket that the bug is that some flows do not have app-layer: http ? These flows do not have 3way handshake but suricata uses stream.midstream=true
If I understand your question correctly, yes, the bug is the fact that this HTTP flow isn't recognized by Suri, regardless of having stream.midstream set to true...

@catenacyber
Copy link
Collaborator

catenacyber commented Aug 24, 2022
edited

Do I read correctly the redmine ticket that the bug is that some flows do not have app-layer: http ? These flows do not have 3way handshake but suricata uses stream.midstream=true

If I understand your question correctly, yes, the bug is the fact that this HTTP flow isn't recognized by Suri, regardless of having stream.midstream set to true...

So, the S-V test should be about event_type==flow and app_layer==http, right ?
And it should fail on master

@jufajardini
Copy link
Contributor Author

Do I read correctly the redmine ticket that the bug is that some flows do not have app-layer: http ? These flows do not have 3way handshake but suricata uses stream.midstream=true

If I understand your question correctly, yes, the bug is the fact that this HTTP flow isn't recognized by Suri, regardless of having stream.midstream set to true...

So, the S-V test should be about event_type==flow and app_layer==http, right ? And it should fail on master

thanks, I was feeling rather lost with how to approach this one. I'll incorporate those changes :)

@jufajardini jufajardini mentioned this pull request Sep 2, 2022
Closed
@jufajardini
Copy link
Contributor Author

Replaced by: #926

@jufajardini jufajardini closed this Sep 2, 2022
@jufajardini jufajardini deleted the nopayload-output/v2 branch April 17, 2023 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@jufajardini @catenacyber