Bug #212
closedrelatives contents with a negated content gives a false postive
Description
a content string
"we need to fix this and yes fix this now"
and
content:fix; content:this; within:6; content:!\"and\"; distance:0;
should fail.
Fix attached.
Files
AS Updated by Anoop Saldanha over 15 years ago
- File 0002-fix-relative-contents-with-a-negated-content-for-det.patch 0002-fix-relative-contents-with-a-negated-content-for-det.patch added
another patch attached.
You will have to apply both. The first one addresses payload.c and the second, dcepayload.c and uri.c.
WM Updated by Will Metcalf over 15 years ago
- File fixthisnow.pcap fixthisnow.pcap added
- Due date set to 07/19/2010
- Status changed from New to Closed
- % Done changed from 0 to 100
tested. works.
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"and"; distance:0; sid:7777;)
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"foo"; distance:0; sid:7778;)
src/suricata -c suricata.yaml -l ./ -s blah2.rules -r /home/coz/fixthisnow.pcap
...
cat fast.log
07/19/10-18:37:15.687507 [**] [1:7778:0] negated content + relative modifier [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:60229 -> 192.168.2.138:55555
VJ Updated by Victor Julien over 15 years ago
- Estimated time set to 1.00 h