Bug #190
closedregression 092 and git today cause FP
Description
Hi,
Congratulation for new v0.9.2, but Im found a regression on this last version and git today (6eb7eea705a82daa2fb4d368538d88392b1816e9) cause FP.
ok start suricata with three sigs on joigned pcap file:
alert tcp any 80 -> any any (msg:"2"; flow:to_client,established; flowbits:isset,http.ht.extfile; content:"COM"; nocase; isdataat:100,relative; content:!"|00|"; within:100; pcre:"/COM[^\x00]{100}/i"; sid:9311372; rev:1; )
alert tcp any any -> any 80 (msg:"1"; flow:to_server,established; uricontent:".ht"; nocase; pcre:!"/\.ht[a-z0-9]/Ui"; flowbits:set,http.ht.extfile; sid:9311362; rev:1;)
alert tcp any any -> any 80 (msg:"3"; flow:to_server,established; flowbits:isset,unknown; content:"="; content:"%"; within:10; distance:0; pcre:"/\=[^&\n]*\%/i"; sid:9216241; rev:1;)
1) results on version 0.9.1:
no alerts!
2) results on version 0.9.2:
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
3) results on git 18jun (ca7f54de2596f24663f18d079681d8cfa25fe81f)
03/22/09-09:38:57.356190 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.449014 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
4) results on today git (6eb7eea705a82daa2fb4d368538d88392b1816e9)
03/22/09-09:38:52.802180 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2401 -> 87.248.112.181:80
03/22/09-09:38:57.354834 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2401
03/22/09-09:39:05.188602 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.188905 [**] [1:9311362:1] 1 [**] [Classification: (null)] [Priority: 3] {6} 10.100.255.2:2403 -> 87.248.112.181:80
03/22/09-09:39:05.288560 [**] [1:9311372:1] 2 [**] [Classification: (null)] [Priority: 3] {6} 87.248.112.181:80 -> 10.100.255.2:2403
5) if you disable msg:3 no alert on all versions!
Regards
Rmkml
Files