Project

General

Profile

Actions

Bug #1098

closed

http_raw_uri with relative pcre parsing issue

Added by rmkml rmkml over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

Suricata v2.0 beta 2 fire if you use relative uri pcre like this:

alert tcp any any -> any 80 (msg:"Testing Rule1"; content:"baduricontent"; http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)

but not fire if you use ^ on relative uri pcre like this: (It's fire on snort)

alert tcp any any -> any 80 (msg:"Testing Rule2"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)

Tested with: wget http://google.com/baduricontentabcde.html
(joigned pcap file)

Regards
rmkml rmkml


Files

suricatav20beta2httprawuriFN.pcap (1.58 KB) suricatav20beta2httprawuriFN.pcap rmkml rmkml, 02/04/2014 09:44 AM
Actions #1

Updated by Victor Julien over 7 years ago

  • Subject changed from FN on Suricata v2beta2 with relative uri pcre circumflex (^) to http_raw_uri with relative pcre parsing issue
  • Assignee set to OISF Dev
  • Target version set to 2.0.1rc1

Seems the conclusion in the oisf-devel thread is that this is actually an error reporting bug in rule parsing: https://lists.openinfosecfoundation.org/pipermail/oisf-devel/2014-February/002928.html

Actions #2

Updated by Victor Julien over 7 years ago

  • Target version changed from 2.0.1rc1 to 2.0.2
Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Victor Julien
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF