Bug #405

another FP with pcre I option on suricata v121

Added by rmkml rmkml over 2 years ago. Updated about 2 years ago.

Status:ClosedStart date:02/03/2012
Priority:NormalDue date:
Assignee:Anoop Saldanha% Done:

100%

Category:-Estimated time:5.00 hours
Target version:1.3beta1

Description

Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )

If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
Regards
Rmkml

PS: simulated http with wget "http://ibiblio.org/abc.php/a"

exemple_http_php_suricata.pcap (6.92 KB) rmkml rmkml, 01/23/2012 03:18 PM

0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch Magnifier (13.9 KB) Anoop Saldanha, 02/03/2012 07:34 AM

0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch Magnifier (904 Bytes) Anoop Saldanha, 02/03/2012 07:34 AM

0003-Add-function-declaration-for-SigInitReal.patch Magnifier (854 Bytes) Anoop Saldanha, 02/03/2012 07:41 AM


Subtasks

Feature #412: unify SigInit and SigInitRealClosedAnoop Saldanha

History

#1 Updated by Anoop Saldanha about 2 years ago

  • File 0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
  • Status changed from New to Closed
  • Assignee set to Anoop Saldanha

Fix attached.

#2 Updated by Victor Julien about 2 years ago

  • Status changed from Closed to Assigned
  • Target version set to 1.3beta1
  • % Done changed from 0 to 70

Can you add a unittest as well?

Btw, please set to resolved instead of closed. I'll close it when I apply it.

#3 Updated by Anoop Saldanha about 2 years ago

Victor Julien wrote:

Can you add a unittest as well?

Yes

Btw, please set to resolved instead of closed. I'll close it when I apply it.

Yes. Missed that actually.

#5 Updated by Anoop Saldanha about 2 years ago

  • File deleted (0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch)

#6 Updated by Anoop Saldanha about 2 years ago

Added another patch. Missed the function declaration from previous commit.

#7 Updated by Victor Julien about 2 years ago

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

#8 Updated by Anoop Saldanha about 2 years ago

Victor Julien wrote:

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.

#9 Updated by Victor Julien about 2 years ago

Okay. Opened #412 to unify the functions.

#10 Updated by Victor Julien about 2 years ago

  • Status changed from Assigned to Closed

Applied, thanks Anoop.

Also available in: Atom PDF