Project

General

Profile

Actions

Bug #230

closed

"uricontent" parameter in rules doesn't work

Added by Roberto Amado over 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
first of all i want to say that you are doing a excellent job. I running suricata in inline mode with only 1 rule:

drop tcp any any -> any 80 (msg:"WEB-MISC /etc/passwd"; uricontent:"/etc/passwd"; sid:1122; rev:7;)

The problem is that when i try to connect to the protected webserver the packet is not blocket, the rule doesn't match. But instead of this i write

drop tcp any any -> any 80 (msg:"WEB-MISC /etc/passwd"; content:"/etc/passwd"; sid:1122; rev:7;)

the rule match the packet when i make a GET request. But this is a problem because drops all packet sent to the server (obviously raw) that match /etc/passwd not only in the URI.

So... Is there some way to drop packets that only matches paterns in the URI?

Thanks a lot.

Actions

Also available in: Atom PDF