Bug #1416
closedrequest feature: urilen <> inclusive please
Description
Hi,
First Thx Suricata team and all,
I'm recently tested urilen on snort and urilen <> is inclusive but not on Suricata tested.
examples URI length is 6 (wget www.google.com/23456, joigned pcap file)
1->urilen:5<>7, suricata and snort fire
2->urilen:5<>6, suricata not fire but snort fire
(because snort use like 5<>=6)
# no error on suricata output
3->urilen:6<>7, suricata not fire but snort fire
(because snort use like 6=<>7)
# no error on suricata output
Tested with these sigs:
alert tcp any any -> any 80 (msg:"urilen test 1"; flow:to_server,established; urilen:5<>7; classtype:web-application-attack; sid:1; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 2"; flow:to_server,established; urilen:5<>6; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 3"; flow:to_server,established; urilen:6<>7; classtype:web-application-attack; sid:3; rev:1;)
Regards
@rmkml rmkml
Files
Updated by Victor Julien over 9 years ago
- Assignee set to Jason Ish
- Target version set to 2.1beta4
@Will Metcalf, do you think it's safe to change this for our stable branch? Or shall we just document it as a diff vs Snort and Suricata 2.1?
Updated by Jason Ish over 9 years ago
From the Snort documentation, it sounds like Snort may be in error here: http://manual.snort.org/node388.html
@rmkml rmkml: Have you chased this up with the Snort guys? If rules out there depend on this behaviour, then at the least the documentation should change I think.
Updated by Jason Ish over 9 years ago
- Status changed from New to Assigned
- Estimated time set to 2.00 h
Updated by Jason Ish over 9 years ago
- Status changed from Assigned to Resolved
- % Done changed from 0 to 100
PR: https://github.com/inliniac/suricata/pull/1417
On a second read of the Snort urilen documentation I noticed:
The following example will match URIs that are greater than 5 bytes and less than 10 bytes (inclusive):
urilen:5<>10;
I verified this behaviour with Snort, and also verified that > and < on their own are not inclusive.
Updated by Jason Ish over 9 years ago
Note that if this is merged in, the urilen documentation will need to be updated that it is inclusive.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
Updated by Victor Julien over 9 years ago
- Target version changed from 2.1beta4 to 3.0RC1
Updated by Victor Julien almost 9 years ago
- Status changed from Resolved to Assigned
- Target version changed from 3.0RC1 to TBD
Postponing this. Too intrusive on existing rulesets like ET, where there are very many rules that need review after this change. Custom rules would also not work anymore. Perhaps we can have a setting for those that run VRT.
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
- Assignee deleted (
Jason Ish) - Target version deleted (
TBD)
We're not touching this anymore. Doing so would break existing rulesets. Different is documented:
http://suricata.readthedocs.io/en/latest/rules/differences-from-snort.html#urilen-keyword