Bug #212
closedrelatives contents with a negated content gives a false postive
Description
a content string
"we need to fix this and yes fix this now"
and
content:fix; content:this; within:6; content:!\"and\"; distance:0;
should fail.
Fix attached.
Files
AS Updated by Anoop Saldanha almost 16 years ago
- File 0002-fix-relative-contents-with-a-negated-content-for-det.patch 0002-fix-relative-contents-with-a-negated-content-for-det.patch added
another patch attached.
You will have to apply both. The first one addresses payload.c and the second, dcepayload.c and uri.c.
WM Updated by Will Metcalf almost 16 years ago
- File fixthisnow.pcap fixthisnow.pcap added
- Due date set to 07/19/2010
- Status changed from New to Closed
- % Done changed from 0 to 100
tested. works.
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"and"; distance:0; sid:7777;)
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"foo"; distance:0; sid:7778;)
src/suricata -c suricata.yaml -l ./ -s blah2.rules -r /home/coz/fixthisnow.pcap
...
cat fast.log
07/19/10-18:37:15.687507 [**] [1:7778:0] negated content + relative modifier [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:60229 -> 192.168.2.138:55555
VJ Updated by Victor Julien almost 16 years ago
- Estimated time set to 1.00 h