Bug #268
closedcomplex FP with suricata
Description
Hi,
Happy New Year and best wishes for Suricata project!
Im found a "complex" FP pb with this version (and previous if I remember correctly).
ok first download full Emerging Threat suricata version today (~5.9M):
http://rules.emergingthreats.net/open/suricata/emerging-all.rules
and simply add this rule:
alert tcp any any -> any 80 (msg:"suricata ht ext FP"; flow:to_server,established; uricontent:".ht"; nocase;
pcre:!"/\.ht[a-z0-9]/Ui"; classtype:web-application-activity; sid:931362; rev:1;)
and start suricata ten times with my joigned pcap file:
...
12/21/2010-11:15:23.619639 [**] [1:931362:1] suricata ht ext FP [**] [Classification: access to a potentially vulnerable web application]
[Priority: 3] {TCP} 192.168.1.80:50966 -> 66.35.45.157:80
...
my joigned pcap file contains http request like:
...
GET./index.html.HTTP/1.1
...
and next, simply remove emerging-all.rules file and restart suricata: no alert!
Regards
Rmkml
Files