Project

General

Profile

Actions
Copy link

Bug #1416

closed

request feature: urilen <> inclusive please

Added by rmkml rmkml about 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

First Thx Suricata team and all,

I'm recently tested urilen on snort and urilen <> is inclusive but not on Suricata tested.

examples URI length is 6 (wget www.google.com/23456, joigned pcap file)

1->urilen:5<>7, suricata and snort fire
2->urilen:5<>6, suricata not fire but snort fire
  (because snort use like 5<>=6)
 # no error on suricata output
3->urilen:6<>7, suricata not fire but snort fire
  (because snort use like 6=<>7)
 # no error on suricata output

Tested with these sigs:
alert tcp any any -> any 80 (msg:"urilen test 1"; flow:to_server,established; urilen:5<>7; classtype:web-application-attack; sid:1; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 2"; flow:to_server,established; urilen:5<>6; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 3"; flow:to_server,established; urilen:6<>7; classtype:web-application-attack; sid:3; rev:1;)

Regards
@rmkml rmkml

Files

suricata_urilen.pcap (2.58 KB) suricata_urilen.pcap rmkml rmkml, 03/14/2015 08:33 AM
Actions
Copy link
 #1

Updated by Victor Julien about 9 years ago

  • Assignee set to Jason Ish
  • Target version set to 2.1beta4

@Will Metcalf, do you think it's safe to change this for our stable branch? Or shall we just document it as a diff vs Snort and Suricata 2.1?

Actions
Copy link
 #2

Updated by Jason Ish about 9 years ago

From the Snort documentation, it sounds like Snort may be in error here: http://manual.snort.org/node388.html

@rmkml rmkml: Have you chased this up with the Snort guys? If rules out there depend on this behaviour, then at the least the documentation should change I think.

Actions
Copy link
 #3

Updated by Jason Ish about 9 years ago

  • Status changed from New to Assigned
  • Estimated time set to 2.00 h
Actions
Copy link
 #4

Updated by Jason Ish about 9 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

PR: https://github.com/inliniac/suricata/pull/1417

On a second read of the Snort urilen documentation I noticed:

The following example will match URIs that are greater than 5 bytes and less than 10 bytes (inclusive):
urilen:5<>10;

I verified this behaviour with Snort, and also verified that > and < on their own are not inclusive.

Actions
Copy link
 #5

Updated by Jason Ish about 9 years ago

Note that if this is merged in, the urilen documentation will need to be updated that it is inclusive.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords

Actions
Copy link
 #6

Updated by Victor Julien almost 9 years ago

  • Target version changed from 2.1beta4 to 3.0RC1
Actions
Copy link
 #7

Updated by Victor Julien over 8 years ago

  • Status changed from Resolved to Assigned
  • Target version changed from 3.0RC1 to TBD

Postponing this. Too intrusive on existing rulesets like ET, where there are very many rules that need review after this change. Custom rules would also not work anymore. Perhaps we can have a setting for those that run VRT.

Actions
Copy link
 #8

Updated by Victor Julien over 6 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Jason Ish)
  • Target version deleted (TBD)

We're not touching this anymore. Doing so would break existing rulesets. Different is documented:

http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#urilen-keyword

Actions
Copy link

Also available in: Atom PDF