Project

General

Profile

Actions
Copy link

Bug #166

closed

many FP on uricontent example

Added by rmkml rmkml almost 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
0.9.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
With pcap joigned and this (old) sig:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
I have many 8 alerts:
03/29/09-08:03:06.416199 [**] [1:2667:2] WEB-IIS ping.asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {6} 10.50.1.118:2030 -> 194.245.144.33:80 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10968]
...
Tested on suricata v0.9.0 and git (2910759943484cd7e3401bebcc286f06b17b6045).
Regards
Rmkml

Files

suricatafnhttpuricontentpingasp25may2010.pcap (3.24 KB) suricatafnhttpuricontentpingasp25may2010.pcap rmkml rmkml, 05/25/2010 01:33 PM
Actions
Copy link
 #1

Updated by Victor Julien almost 14 years ago

  • Due date set to 06/11/2010
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 0.9.2
  • Estimated time set to 0.00 h
Actions
Copy link
 #2

Updated by Victor Julien almost 14 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Fixed in the current master.

Actions
Copy link
 #3

Updated by Victor Julien almost 14 years ago

Improved the fix. Should be more accurate now.

Actions
Copy link

Also available in: Atom PDF