Bug #214
closedFail to alert on sid 2009800
Description
Suricata fails to alert on sid 2009800.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; uricontent:"ShowCount="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009800; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009800; rev:3;)
Files
Updated by Will Metcalf over 14 years ago
Seems to fire for me will load it the test rid to see if it's consistent.
Updated by Will Metcalf over 14 years ago
- File emerging-all.rules emerging-all.rules added
when using this with the attached emerging-all.rules file we seem to alert but it is very inconsistent. For me locally we only fire on this sig 1 out of 10 times, but the http request is logged everytime.
src/.libs/lt-suricata -c suricata.yaml -s emerging-all.rules -l ./ -r 2009800.pcap
alert noalert
1 9
Logs the http request everytime..
07/16/10-18:48:19.703262 www.domain.tld [**] /manage.old/sun/signup.aspx?MACAddresses=MACShowCount= [**] Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) [**] 192.168.1.1:34598 -> 1.1.1.1:80
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Should be fixed by commit 0d008c8135a76f0d22cf0fc6f9276ef93385c89a