Project

General

Profile

Actions

Bug #190

closed

regression 092 and git today cause FP

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Congratulation for new v0.9.2, but Im found a regression on this last version and git today (6eb7eea705a82daa2fb4d368538d88392b1816e9) cause FP.

ok start suricata with three sigs on joigned pcap file:
alert tcp any 80 -> any any (msg:"2"; flow:to_client,established; flowbits:isset,http.ht.extfile; content:"COM"; nocase; isdataat:100,relative; content:!"|00|"; within:100; pcre:"/COM[^\x00]{100}/i"; sid:9311372; rev:1; )
alert tcp any any -> any 80 (msg:"1"; flow:to_server,established; uricontent:".ht"; nocase; pcre:!"/\.ht[a-z0-9]/Ui"; flowbits:set,http.ht.extfile; sid:9311362; rev:1;)
alert tcp any any -> any 80 (msg:"3"; flow:to_server,established; flowbits:isset,unknown; content:"="; content:"%"; within:10; distance:0; pcre:"/\=[^&\n]*\%/i"; sid:9216241; rev:1;)

1) results on version 0.9.1:
no alerts!

2) results on version 0.9.2:
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401

3) results on git 18jun (ca7f54de2596f24663f18d079681d8cfa25fe81f)
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401

4) results on today git (6eb7eea705a82daa2fb4d368538d88392b1816e9)
03/22/09-09:38:52.802180 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.354834 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
03/22/09-09:39:05.188602 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.188905 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.288560 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2403

5) if you disable msg:3 no alert on all versions!

Regards
Rmkml


Files

suricatafpflowbitswebicmp.pcap (129 KB) suricatafpflowbitswebicmp.pcap rmkml rmkml, 06/25/2010 03:38 PM
Actions #1

Updated by Will Metcalf over 14 years ago

This seems to now generate no alerts in snort or suricata current master as of 07/01/10. Is this the intended behavior?

Actions #2

Updated by Victor Julien over 14 years ago

  • Status changed from New to Closed

Closing due to inactivity. Please reopen if it's still an issue.

Actions

Also available in: Atom PDF