another FP with pcre I option on suricata v121
|Assignee:||Anoop Saldanha||% Done:|
|Category:||-||Estimated time:||5.00 hours|
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )
If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
PS: simulated http with wget "http://ibiblio.org/abc.php/a"
#4 Updated by Anoop Saldanha over 3 years ago
- File 0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch added
- File 0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
#6 Updated by Anoop Saldanha over 3 years ago
Added another patch. Missed the function declaration from previous commit.
#8 Updated by Anoop Saldanha over 3 years ago
Victor Julien wrote:
Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.
We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.