Greetings,
Found out that the issue to my earlier problem was Suricata:
The problem is that my HTTP web server couldn’t serve more then 781,197,296 bytes before Suricata killed the traffic. I was testing with a Linux Distro ISO, but it could be replicated with any sufficiently large enough file. The error message is:
[Drop] [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
I traced that back into Emerging Threats ruleset file rules/emerging-attack_response.rules which says this:
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
In the past when I’ve had to look up a rule ET had it in their docs but I can’t find that rule anywhere in their documentation. Trying to track down the sid has lead to dead ends and tracing down the bugtraq for 1806 is a Microsoft IIS issue that doesn’t look relevant in the slightest.
The hits I’m getting in online searching aren’t really relevant or helpful so far.
Can anyone help me figure out what is going on? I’d really like to know why this rule is killing valid HTTP traffic.
Thanks
