Project

General

Profile

Actions
Copy link

Bug #3450

closed

signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match

Added by Jason Taylor almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
5.0.3
Affected Versions:
5.0.1
Effort:
Difficulty:
Label:

Description

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suri 5 pcre fun"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; pcre:"/^(?:[A-F0-9]{2}){200,}$/P";)

This rule loads in suri 5 but does not fire on pcap. It seems that the sticky buffer is set and loads the pcre within the existing sticky buffer even though we specifiy the buffer for the pcre.

If the pcre is moved to the front of the rule, the rule fires as expected, example:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suri 5 pcre fun"; flow:established,to_server; pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|";)

Actions
Copy link

Also available in: Atom PDF