Project

General

Profile

Actions

Bug #1098

closed

http_raw_uri with relative pcre parsing issue

Added by rmkml rmkml about 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

Suricata v2.0 beta 2 fire if you use relative uri pcre like this:

alert tcp any any -> any 80 (msg:"Testing Rule1"; content:"baduricontent"; http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)

but not fire if you use ^ on relative uri pcre like this: (It's fire on snort)

alert tcp any any -> any 80 (msg:"Testing Rule2"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)

Tested with: wget http://google.com/baduricontentabcde.html
(joigned pcap file)

Regards
@rmkml rmkml


Files

suricatav20beta2httprawuriFN.pcap (1.58 KB) suricatav20beta2httprawuriFN.pcap rmkml rmkml, 02/04/2014 09:44 AM
Actions

Also available in: Atom PDF