Project

General

Profile

Actions
Copy link

Bug #405

closed
RR AS

another FP with pcre I option on suricata v121

Bug #405: another FP with pcre I option on suricata v121

Added by rmkml rmkml about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )

If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
Regards
Rmkml

PS: simulated http with wget "http://ibiblio.org/abc.php/a"

Files

Download all files
exemple_http_php_suricata.pcap (6.92 KB) exemple_http_php_suricata.pcap rmkml rmkml, 01/23/2012 03:18 PM
0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch (13.9 KB) 0001-Use-SigInitReal-instead-of-SigInit-in-raw-uri-tests..patch Anoop Saldanha, 02/03/2012 07:34 AM
0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch (904 Bytes) 0002-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch Anoop Saldanha, 02/03/2012 07:34 AM
0003-Add-function-declaration-for-SigInitReal.patch (854 Bytes) 0003-Add-function-declaration-for-SigInitReal.patch Anoop Saldanha, 02/03/2012 07:41 AM

Subtasks 1 (0 open1 closed)

Feature #412: unify SigInit and SigInitRealClosedAnoop SaldanhaActions

AS Updated by Anoop Saldanha about 14 years ago Actions
Copy link
 #1

  • File 0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
  • Status changed from New to Closed
  • Assignee set to Anoop Saldanha

Fix attached.

VJ Updated by Victor Julien about 14 years ago Actions
Copy link
 #2

  • Status changed from Closed to Assigned
  • Target version set to 1.3beta1
  • % Done changed from 0 to 70

Can you add a unittest as well?

Btw, please set to resolved instead of closed. I'll close it when I apply it.

AS Updated by Anoop Saldanha about 14 years ago Actions
Copy link
 #3

Victor Julien wrote:

Can you add a unittest as well?

Yes

Btw, please set to resolved instead of closed. I'll close it when I apply it.

Yes. Missed that actually.

AS Updated by Anoop Saldanha about 14 years ago Actions
Copy link
 #5

  • File deleted (0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch)

AS Updated by Anoop Saldanha about 14 years ago Actions
Copy link
 #6

Added another patch. Missed the function declaration from previous commit.

VJ Updated by Victor Julien about 14 years ago Actions
Copy link
 #7

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

AS Updated by Anoop Saldanha about 14 years ago Actions
Copy link
 #8

Victor Julien wrote:

Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.

We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.

VJ Updated by Victor Julien about 14 years ago Actions
Copy link
 #9

Okay. Opened #412 to unify the functions.

VJ Updated by Victor Julien about 14 years ago Actions
Copy link
 #10

  • Status changed from Assigned to Closed

Applied, thanks Anoop.

Actions
Copy link

Also available in: PDF Atom