Bug #190
closedregression 092 and git today cause FP
Description
Hi,
Congratulation for new v0.9.2, but Im found a regression on this last version and git today (6eb7eea705a82daa2fb4d368538d88392b1816e9) cause FP.
ok start suricata with three sigs on joigned pcap file:
alert tcp any 80 -> any any (msg:"2"; flow:to_client,established; flowbits:isset,http.ht.extfile; content:"COM"; nocase; isdataat:100,relative; content:!"|00|"; within:100; pcre:"/COM[^\x00]{100}/i"; sid:9311372; rev:1; )
alert tcp any any -> any 80 (msg:"1"; flow:to_server,established; uricontent:".ht"; nocase; pcre:!"/\.ht[a-z0-9]/Ui"; flowbits:set,http.ht.extfile; sid:9311362; rev:1;)
alert tcp any any -> any 80 (msg:"3"; flow:to_server,established; flowbits:isset,unknown; content:"="; content:"%"; within:10; distance:0; pcre:"/\=[^&\n]*\%/i"; sid:9216241; rev:1;)
1) results on version 0.9.1:
no alerts!
2) results on version 0.9.2:
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
3) results on git 18jun (ca7f54de2596f24663f18d079681d8cfa25fe81f)
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
4) results on today git (6eb7eea705a82daa2fb4d368538d88392b1816e9)
03/22/09-09:38:52.802180 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.354834 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
03/22/09-09:39:05.188602 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.188905 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.288560 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2403
5) if you disable msg:3 no alert on all versions!
Regards
Rmkml
Files
Updated by Will Metcalf over 14 years ago
This seems to now generate no alerts in snort or suricata current master as of 07/01/10. Is this the intended behavior?
Updated by Victor Julien about 14 years ago
- Status changed from New to Closed
Closing due to inactivity. Please reopen if it's still an issue.