Alerts not working for sites with GZIP encoding including 'testmyids.com'

[jonathan....@gmail.com]

Hi All

When I browse to www.testmyids.com using a browser, I don't see any alert, even though I can see the packets in Wireshark. When I use Curl to connect to www.testmyids.com the alert is generated.

The difference is that using Curl the text isn't gzip encoded, but when using a browser the text is gzip encoded. As far as I can remember browsing to testmyids.com used to always trigger an alert. Can SecurityOnion using suricata decode and alert on gzip'd websites, and do you get an alert on your own Securityonion instance if browsing to testmyids.com using a browser? I'm assuming GZIP'd websites do alert for other people, as testmyids.com wouldn't work through the browser otherwise. Any help is greatly appreciated.

Many Thanks

Jon

HTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed, 15 Aug 2018 10:53:16 GMT
Server: Apache
Last-Modified: Mon, 15 Jan 2007 23:11:55 GMT
ETag: W/"27-4271c5f1ac4c0"
Content-Encoding: gzip

2a
..........+.L.5.(../.THGf...........K.'...
0

[Kevin Branch]

Here is the rule you are referring to:

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

If I understand correctly, a plain "content" match is only made against the raw payload, not against gzip decoded http client or server content.  Thus I would not expect a web browser that hits www.testmyids.com to trip this rule, while curl would.

I think if the rule were modified to use http-server-body like this, that it would do what you are looking for:

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; http-server-body; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) 

See https://suricata.readthedocs.io/en/suricata-4.0.5/rules/http-keywords.html#http-server-body

Please try this out and let us know if it works.

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[jonathan....@gmail.com]

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Hi Kevin

Thanks for getting back to me. That makes sense, the only confusing thing is I thought it always used to work from a browser. It may just be that the site wasn't GZIP encoded before. Out of interest do you get an alert if browsing to testmyids.com using a browser?

Thanks

Jon

[Kevin Branch]

Hi Jon,

It could well be that testmyids.com started supporting gzip encoding at some point recently.  I just now tried surfing to http://testmyids.com/ from Chrome and my freshly built SO dev server indeed did not alert about it.

Kevin

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[jonathan....@gmail.com]

Thanks for that, that's basically the conclusion I came to but just wanted to make sure I wasn't missing anything. Appreciate your help and validating that you're seeing the same behaviour.

Jon