Bug #166

many FP on uricontent example

Added by rmkml rmkml almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:05/25/2010
Priority:NormalDue date:06/11/2010
Assignee:Victor Julien% Done:

100%

Category:-Estimated time:0.00 hour
Target version:0.9.2

Description

Hi,
With pcap joigned and this (old) sig:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
I have many 8 alerts:
03/29/09-08:03:06.416199 [**] [1:2667:2] WEB-IIS ping.asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {6} 10.50.1.118:2030 -> 194.245.144.33:80 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10968]
...
Tested on suricata v0.9.0 and git (2910759943484cd7e3401bebcc286f06b17b6045).
Regards
Rmkml

suricatafnhttpuricontentpingasp25may2010.pcap (3.24 KB) rmkml rmkml, 05/25/2010 01:33 PM

History

#1 Updated by Victor Julien almost 4 years ago

  • Due date set to 06/11/2010
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 0.9.2
  • Estimated time set to 0.00

#2 Updated by Victor Julien almost 4 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Fixed in the current master.

#3 Updated by Victor Julien almost 4 years ago

Improved the fix. Should be more accurate now.

Also available in: Atom PDF