Project

General

Profile

Actions

Bug #1416

closed

request feature: urilen <> inclusive please

Added by rmkml rmkml over 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

First Thx Suricata team and all,

I'm recently tested urilen on snort and urilen <> is inclusive but not on Suricata tested.

examples URI length is 6 (wget www.google.com/23456, joigned pcap file)

1->urilen:5<>7, suricata and snort fire
2->urilen:5<>6, suricata not fire but snort fire
(because snort use like 5<>=6) # no error on suricata output
3->urilen:6<>7, suricata not fire but snort fire
(because snort use like 6=<>7) # no error on suricata output

Tested with these sigs:
alert tcp any any -> any 80 (msg:"urilen test 1"; flow:to_server,established; urilen:5<>7; classtype:web-application-attack; sid:1; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 2"; flow:to_server,established; urilen:5<>6; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 3"; flow:to_server,established; urilen:6<>7; classtype:web-application-attack; sid:3; rev:1;)

Regards
@rmkml rmkml


Files

suricata_urilen.pcap (2.58 KB) suricata_urilen.pcap rmkml rmkml, 03/14/2015 08:33 AM
Actions

Also available in: Atom PDF