Bug #227
closedstrange FP on suricata v101/100
Description
Hi,
I have a strange FP with theses two sigs:
alert tcp any 80 -> any any (msg:"http reply 1"; flow:to_client,established; content:"HTTP/1."; nocase; depth:7; content:!" 200 OK"; nocase; distance:1; content:!" 206 Partial Content"; nocase; distance:1; classtype:attempted-admin; sid:9014691; rev:1; )
alert tcp any 80 -> any any (msg:"http reply 2"; flow:to_client,established; content:"HTTP/1."; content:" Expect"; nocase; within:20; distance:0; classtype:misc-attack; sid:9014252; rev:1;)
suricata v101/100 generate two alerts:
07/30/10-16:06:26.005780 [**] [1:9014691:1] http reply 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6} 66.249.92.104:80 -> 192.168.70.5:56913
07/30/10-16:10:26.004807 [**] [1:9014691:1] http reply 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6} 66.249.92.104:80 -> 192.168.70.5:56913
but if you disable second sig/sid (9014252), only one alert fire.
Why second alert not fire if I disable second sig/sid please?
Regards
Rmkml
Files
Updated by Will Metcalf over 14 years ago
- Due date set to 08/20/2010
- Assignee set to OISF Dev
- Target version set to 1.0.2
- Estimated time set to 2.50 h
Updated by Victor Julien about 14 years ago
- Target version changed from 1.0.2 to 1.1beta1
Updated by Anoop Saldanha about 14 years ago
- Assignee changed from OISF Dev to Anoop Saldanha
Updated by Anoop Saldanha about 14 years ago
- File 0001-fix-for-bug-227.-For-negated-contents-that-have-been.patch 0001-fix-for-bug-227.-For-negated-contents-that-have-been.patch added
Attached a patch. We should see 2 alerts now irrespective of sid #2's presence.
Updated by Victor Julien about 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied to my local tree. Thanks Anoop!