Bug #1416: request feature: urilen <> inclusive please - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1416

closed

request feature: urilen <> inclusive please

Added by rmkml rmkml over 9 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,

First Thx Suricata team and all,

I'm recently tested urilen on snort and urilen <> is inclusive but not on Suricata tested.

examples URI length is 6 (wget www.google.com/23456, joigned pcap file)

1->urilen:5<>7, suricata and snort fire

2->urilen:5<>6, suricata not fire but snort fire
  (because snort use like 5<>=6)
 # no error on suricata output

3->urilen:6<>7, suricata not fire but snort fire
  (because snort use like 6=<>7)
 # no error on suricata output

Tested with these sigs:
alert tcp any any -> any 80 (msg:"urilen test 1"; flow:to_server,established; urilen:5<>7; classtype:web-application-attack; sid:1; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 2"; flow:to_server,established; urilen:5<>6; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 3"; flow:to_server,established; urilen:6<>7; classtype:web-application-attack; sid:3; rev:1;)

Regards
@rmkml rmkml

Files

suricata_urilen.pcap (2.58 KB) suricata_urilen.pcap

rmkml rmkml, 03/14/2015 08:33 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1416

request feature: urilen <> inclusive please

Updated by Victor Julien over 9 years ago

Updated by Jason Ish over 9 years ago

Updated by Jason Ish over 9 years ago

Updated by Jason Ish over 9 years ago

Updated by Jason Ish over 9 years ago

Updated by Victor Julien over 9 years ago

Updated by Victor Julien about 9 years ago

Updated by Victor Julien about 7 years ago