Bug #155
closedAnchored pcre doesn't appear to work with /U modifer.
Description
sid 2010504 should fire here. simply removing the '$' anchor from the pcre will cause the sig to match, the flowbit will be set and thus the second sig will fire. The anchored pcre is valid for this pcap, this should fire in suricata but doesn't. These rules fire fine in snort. I should also note that I tested anchors with normal pcre and it appears to work fine.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2010504; rev:2;)
Files
Updated by Victor Julien over 14 years ago
- Target version changed from 0.9.1 to 0.9.2
Updated by Victor Julien over 14 years ago
- Due date changed from 05/14/2010 to 06/21/2010
- Assignee changed from OISF Dev to Anoop Saldanha
- Target version changed from 0.9.2 to 0.9.3
Updated by Victor Julien over 14 years ago
- Due date changed from 06/21/2010 to 06/25/2010
- Assignee changed from Anoop Saldanha to Pablo Rincon
- Target version changed from 0.9.3 to 1.0.0
Assigned to Pablo as part of a bigger task. Anoop if you already have done work on this, please send what you have to Pablo. Thanks!
Updated by Anoop Saldanha over 14 years ago
- File 0001-add-pcre-with-U-modifiers-to-the-umatch-sigmatch-lis.patch 0001-add-pcre-with-U-modifiers-to-the-umatch-sigmatch-lis.patch added
@Pablo
Attached the work done so far. The patch adds /U pcres to umatch list instead of pmatch. Have made some changes to detect-engine-uri.c as well to support the addition of pcre to umatch inspection.
Updated by Victor Julien over 14 years ago
Please also make sure the follow signature matches, as it's reported to fail to match currently:
Our suricata setup is totally missing some emerging-virus.rules (not
even a mention in logs) like:emerging-virus.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET TROJAN Downadup/Conficker A or B Worm reporting";
flow:to_server,established; uricontent:"/search?q=";
pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U";
pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/";
classtype:trojan-activity;
reference:url,www.f-secure.com/weblog/archives/00001584.html;
reference:url,doc.emergingthreats.net/bin/view/Main/2009024;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker;
sid:2009024; rev:9;)
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Patches applied, thanks Anoop & Pablo.