Bug #145
closedwithin does not work when previous match is pcre.
Description
within does not work when previous match is pcre. This is supported in snort we should do the same.
[3499] 4/5/2010 -- 19:41:06 - (detect-within.c:154) <Error> (DetectWithinSetup) -- [ERRCODE: SC_ERR_WITHIN_MISSING_CONTENT(99)] - within needs two preceeding content or uricontent options
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre with within modifier"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; content:"HTTP"; within:5; classtype:bad-unknown; sid:49; rev:1;)" from file /home/coz/allworkplain.rules at line 411
snort output...
01/04-12:29:26.927934 [**] [1:49:1] pcre with within modifier [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
Files
Updated by Gurvinder Singh almost 14 years ago
- Assignee changed from OISF Dev to Gurvinder Singh
Updated by Gurvinder Singh almost 14 years ago
- File 0001-support-setting-up-within-keyword-when-previous-keyw.patch 0001-support-setting-up-within-keyword-when-previous-keyw.patch added
- Status changed from New to Resolved
- % Done changed from 0 to 80
Attached is a patch which fixes the issue. Unit test for the same has been added.
Updated by Victor Julien almost 14 years ago
- Status changed from Resolved to Closed
- Target version changed from 1.0.0 to 0.9.1
- % Done changed from 80 to 100
Applied, thanks Gurvinder.