Project

General

Profile

Actions

Bug #405

closed

another FP with pcre I option on suricata v121

Added by rmkml rmkml almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )

If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
Regards
Rmkml

PS: simulated http with wget "http://ibiblio.org/abc.php/a"


Files


Subtasks 1 (0 open1 closed)

Feature #412: unify SigInit and SigInitRealClosedAnoop Saldanha02/03/2012Actions
Actions #1

Updated by Anoop Saldanha almost 13 years ago

  • File 0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
  • Status changed from New to Closed
  • Assignee set to Anoop Saldanha

Fix attached.

Actions #2

Updated by Victor Julien almost 13 years ago

  • Status changed from Closed to Assigned
  • Target version set to 1.3beta1
  • % Done changed from 0 to 70

Can you add a unittest as well?

Btw, please set to resolved instead of closed. I'll close it when I apply it.

Actions #3

Updated by Anoop Saldanha almost 13 years ago

Victor Julien wrote:

Can you add a unittest as well?

Yes

Btw, please set to resolved instead of closed. I'll close it when I apply it.

Yes. Missed that actually.

Actions #5

Updated by Anoop Saldanha almost 13 years ago

  • File deleted (0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch)
Actions #6

Updated by Anoop Saldanha almost 13 years ago

Added another patch. Missed the function declaration from previous commit.

Actions #7

Updated by Victor Julien almost 13 years ago

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

Actions #8

Updated by Anoop Saldanha almost 13 years ago

Victor Julien wrote:

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.

Actions #9

Updated by Victor Julien almost 13 years ago

Okay. Opened #412 to unify the functions.

Actions #10

Updated by Victor Julien almost 13 years ago

  • Status changed from Assigned to Closed

Applied, thanks Anoop.

Actions

Also available in: Atom PDF