Bug #219: uricontent with relative pcre - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #219

closed

uricontent with relative pcre

Bug #219: uricontent with relative pcre

Added by Victor Julien almost 16 years ago. Updated over 15 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

There are signatures in VRT that follow this basic pattern. We are not supporting it because right now the detection engine has no way of knowing where in the raw payload the uri match ended. Another complication is that the uri normalizer may change the size of the uri (e.g. %20 becomes a single space, shrinking the uri with 2 bytes).

uricontent:"foo"; pcre:"/bar/R";
content:"foo"; http_uri; pcre:"/bar/R";

It seems in Snort this only works on non-normalized uri's.

History
Notes
Property changes

VJ Updated by Victor Julien over 15 years ago Actions
Copy link
#1

Status changed from New to Closed

This works now in 1.1beta1.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #219

uricontent with relative pcre

VJ Updated by Victor Julien over 15 years ago Actions
Copy link
#1

Project

General

Profile

Suricata

Custom queries

Bug #219

uricontent with relative pcre

VJ Updated by Victor Julien over 15 years ago ActionsCopy link #1

VJ Updated by Victor Julien over 15 years ago Actions
Copy link
#1