Project

General

Profile

Actions
Copy link

Bug #2522

closed

The cross-effects of rules on each other, without the use of flowbits.

Added by Jane Ostin over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1rc2
Affected Versions:
4.1beta1
Effort:
Difficulty:
Label:

Description

There is an opportunity to influence the operation of one rule by another, even if they are not unified by flowbits. This happens if the signature is affected, use both http and tcp buffers, and in the signature of which we will act, use the stream.
An eerie action at a distance stops, if in the signature of which we manage add "no_stream". Or, place all checks in the managed signature in the http buffers.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "test1";
flow: established, to_server;  
content: "Accept-Encoding: identity";                       <- place here "http_header" for disable effect
content: "data="; http_client_body; depth:5;  
classtype: misc-activity; sid: 1; rev: 1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "test2";
flow: established, to_server;                               <- or place here "no_stream" 
content: "|6c55554503104840|"; offset:4;depth:8;
classtype: misc-activity; sid: 2; rev: 1;)

Pcap in attachment.
This is Suricata version 4.1.0-beta1 RELEASE

Files

f1b8a712ee9fb5eac9513fe21bfd6a3a964c0a3c328d5209fc0ee87d0c93fcea.pcap (34.9 KB) f1b8a712ee9fb5eac9513fe21bfd6a3a964c0a3c328d5209fc0ee87d0c93fcea.pcap Jane Ostin, 06/25/2018 05:58 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #3190: file_data inspection inhibited by additional (non-file_data) content match ruleClosedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF