Help understanding what a rule is doing

Found out that the issue to my earlier problem was Suricata:

The problem is that my HTTP web server couldn’t serve more then 781,197,296 bytes before Suricata killed the traffic. I was testing with a Linux Distro ISO, but it could be replicated with any sufficiently large enough file. The error message is:
[Drop] [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}

I traced that back into Emerging Threats ruleset file rules/emerging-attack_response.rules which says this:

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

In the past when I’ve had to look up a rule ET had it in their docs but I can’t find that rule anywhere in their documentation. Trying to track down the sid has lead to dead ends and tracing down the bugtraq for 1806 is a Microsoft IIS issue that doesn’t look relevant in the slightest.

The hits I’m getting in online searching aren’t really relevant or helpful so far.

Can anyone help me figure out what is going on? I’d really like to know why this rule is killing valid HTTP traffic.

I know this is not what you want to hear but developers of Emerging Threats and Suricata should be able to answer your question and would have better answers.


1 Like

Thanks. I was just hoping I didn’t have to sign up for yet another community. I was hoping for someone here. But I can try. :smiley:

For future reference if someone else stumbles across this, I’ve just created a post on the suricata forum.

1 Like