Bug #405
closedanother FP with pcre I option on suricata v121
Description
Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )
If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
Regards
Rmkml
PS: simulated http with wget "http://ibiblio.org/abc.php/a"
Files
Updated by Anoop Saldanha about 12 years ago
- File 0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
- Status changed from New to Closed
- Assignee set to Anoop Saldanha
Fix attached.
Updated by Victor Julien about 12 years ago
- Status changed from Closed to Assigned
- Target version set to 1.3beta1
- % Done changed from 0 to 70
Can you add a unittest as well?
Btw, please set to resolved instead of closed. I'll close it when I apply it.
Updated by Anoop Saldanha about 12 years ago
Victor Julien wrote:
Can you add a unittest as well?
Yes
Btw, please set to resolved instead of closed. I'll close it when I apply it.
Yes. Missed that actually.
Updated by Anoop Saldanha about 12 years ago
- File 0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch 0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch added
- File 0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch 0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
Unittests added.
Updated by Anoop Saldanha about 12 years ago
- File deleted (
0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch)
Updated by Anoop Saldanha about 12 years ago
- File 0003-Add-function-declaration-for-SigInitReal.patch 0003-Add-function-declaration-for-SigInitReal.patch added
Added another patch. Missed the function declaration from previous commit.
Updated by Victor Julien about 12 years ago
Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.
Updated by Anoop Saldanha about 12 years ago
Victor Julien wrote:
Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.
We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.
Updated by Victor Julien about 12 years ago
Okay. Opened #412 to unify the functions.
Updated by Victor Julien about 12 years ago
- Status changed from Assigned to Closed
Applied, thanks Anoop.