Project

General

Profile

Actions

Bug #2479

open

http_cookie negation fails if no cookie in traffic

Added by Jason Williams over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Given the below example rule where we are looking for a HTTP POST with a http_cookie negation:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"COOKIE Y"; flow:to_server,established; content:"POST"; http_method; content:!"this_doesnt_exist_who_cares_it_should_still_fire"; http_cookie; classtype:trojan-activity; sid:102; rev:1;)

This will fire on this traffic which has a cookie in it...

POST /trach/00/00/980014/index/xb/OF.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 59
Host: vitospetromata.gr
Connection: close
Referer: http://vitospetromata.gr/trach/00/00/980014/index/xb/OF.php
Cookie: _mcnc=1
Content-Type: application/x-www-form-urlencoded

...but will not fire on this traffic that does not have a cookie in it.

POST /index2.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 143
Host: moifesgeucswaytvvxe.altervista.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0
Connection: close
Referer: http://moifesgeucswaytvvxe.altervista.org/Update.html
Content-Type: application/x-www-form-urlencoded

It seems like this negation should work in both cases? Tested in 4.0.4, 4.0.1, and latest git.


Related issues 2 (1 open1 closed)

Related to Bug #2224: Negated http_* match returns false if buffer not populatedNewOISF DevActions
Has duplicate Bug #3505: Negations on contents within the http_cookie buffer causes FN if no http_cookie is presentClosedActions
Actions #1

Updated by Andreas Herz over 4 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Philippe Antoine over 3 years ago

  • Related to Bug #2224: Negated http_* match returns false if buffer not populated added
Actions #3

Updated by Philippe Antoine over 1 year ago

  • Has duplicate Bug #3505: Negations on contents within the http_cookie buffer causes FN if no http_cookie is present added
Actions #4

Updated by Philippe Antoine over 1 year ago

  • Has duplicate Bug #4286: FN occurs when using negated isdataat with http_cookie keyword added
Actions #5

Updated by Victor Julien 2 months ago

  • Has duplicate deleted (Bug #4286: FN occurs when using negated isdataat with http_cookie keyword)
Actions

Also available in: Atom PDF