Bug #405
closed
another FP with pcre I option on suricata v121
Added by rmkml rmkml over 12 years ago.
Updated about 12 years ago.
Description
Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri; pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )
If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Of couse, snort not fire.
Regards
Rmkml
PS: simulated http with wget "http://ibiblio.org/abc.php/a"
Files
- File 0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch added
- Status changed from New to Closed
- Assignee set to Anoop Saldanha
- Status changed from Closed to Assigned
- Target version set to 1.3beta1
- % Done changed from 0 to 70
Can you add a unittest as well?
Btw, please set to resolved instead of closed. I'll close it when I apply it.
Victor Julien wrote:
Can you add a unittest as well?
Yes
Btw, please set to resolved instead of closed. I'll close it when I apply it.
Yes. Missed that actually.
- File deleted (
0001-bug-405-fix-bug-where-raw-uri-inspection-sigs-were-n.patch)
Added another patch. Missed the function declaration from previous commit.
Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.
Victor Julien wrote:
Why did you use SigInitReal over SigInit? Iirc it's only meant to be used in case of bi-directional sigs.
We don't seem to be having any such restrictions. We are using SigInitReal() only atm. bi-directional or not, shouldn't make any difference. For uni-directional sigs SigInitReal() would behave as SigInit() anyways.
Okay. Opened #412 to unify the functions.
- Status changed from Assigned to Closed
Also available in: Atom
PDF