Project

General

Profile

Actions
Copy link

Bug #12

closed

Negated pcre treated as a normal match

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
0.8.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

given a packet with the following payload of:

AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy

the following rules should not fire but they do. I have attached a patch with a failing unit tests.
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:"!/AndNoPlay/i"; sid: 1);
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:!"/AndNoPlay/i"; sid: 2);

Files

0001-failing-unit-test-showing-negated-pcre-treated-as-no.patch (3.16 KB) 0001-failing-unit-test-showing-negated-pcre-treated-as-no.patch unit test showing that negated pcre matches are treated as non-negated matches Will Metcalf, 11/24/2009 08:58 PM
Actions
Copy link

Also available in: Atom PDF