Project

General

Profile

Actions
Copy link

Bug #268

closed

complex FP with suricata

Added by rmkml rmkml over 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.1beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Happy New Year and best wishes for Suricata project!

Im found a "complex" FP pb with this version (and previous if I remember correctly).
ok first download full Emerging Threat suricata version today (~5.9M):
http://rules.emergingthreats.net/open/suricata/emerging-all.rules

and simply add this rule:
alert tcp any any -> any 80 (msg:"suricata ht ext FP"; flow:to_server,established; uricontent:".ht"; nocase;
pcre:!"/\.ht[a-z0-9]/Ui"; classtype:web-application-activity; sid:931362; rev:1;)

and start suricata ten times with my joigned pcap file:
...
12/21/2010-11:15:23.619639 [**] [1:931362:1] suricata ht ext FP [**] [Classification: access to a potentially vulnerable web application]
[Priority: 3] {TCP} 192.168.1.80:50966 -> 66.35.45.157:80
...

my joigned pcap file contains http request like:
...
GET./index.html.HTTP/1.1
...

and next, simply remove emerging-all.rules file and restart suricata: no alert!
Regards
Rmkml

Files

Download all files
suricatafphtextflowbitspcre3.pcap (101 KB) suricatafphtextflowbitspcre3.pcap rmkml rmkml, 01/05/2011 03:13 AM
0001-disable-mpm-pattern-s-retest-skipping-in-detection-e.patch (4.44 KB) 0001-disable-mpm-pattern-s-retest-skipping-in-detection-e.patch Anoop Saldanha, 04/13/2011 03:01 AM
Actions
Copy link
 #1

Updated by Victor Julien about 13 years ago

  • Due date set to 04/10/2011
  • Assignee set to Anoop Saldanha
  • Target version set to 1.1beta2
  • Estimated time set to 4.00 h

Thanks rmkml. This appears to be an issue with inspecting the individual http transactions.

@Anoop it appears that commenting the code below from DoInspectPacketUri() solves the issue.

if (ud->flags & DETECT_CONTENT_URI_MPM && !(ud->flags & DETECT_CONTENT_NEGATED))
            goto match;
Actions
Copy link
 #2

Updated by Anoop Saldanha about 13 years ago

Victor Julien wrote:

Thanks rmkml. This appears to be an issue with inspecting the individual http transactions.

@Anoop it appears that commenting the code below from DoInspectPacketUri() solves the issue.

if (ud->flags & DETECT_CONTENT_URI_MPM && !(ud->flags & DETECT_CONTENT_NEGATED))
goto match;

Yes. It's an issue with skipping checks with multiple transactions. Have disabled this skip pattern retest in all the http engine code. The perf drop is around 1%, which imo is negligible. Can probably look into holding this mpm match state per transaction. Attached a patch

Actions
Copy link
 #3

Updated by Victor Julien about 13 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Applied, thanks Anoop.

Actions
Copy link

Also available in: Atom PDF