Actions
Bug #4210
closed
JL
JL
Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode
Bug #4210:
Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode
Affected Versions:
Effort:
Difficulty:
Label:
Description
From https://forum.suricata.io/t/transformation-keyword-cant-trigger-an-alert/881/3
Use the attached pcap
These 2 rules generate 2 alerts
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1001;) alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
These 2 rules generate 0 alerts
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1001;) alert http any any -> $HOME_NET any (msg:"detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
Files
VJ Updated by Victor Julien over 5 years ago
- Priority changed from Normal to High
VJ Updated by Victor Julien over 5 years ago
Is this a duplicate of #4199?
JL Updated by Jeff Lucovsky over 5 years ago
- Status changed from Assigned to Closed
Dup of 4199
VJ Updated by Victor Julien over 5 years ago
- Is duplicate of Bug #4199: Transformation keyword can’t trigger an alert added
JL Updated by Jeff Lucovsky about 5 years ago
- Label deleted (
Needs backport to 6.0)
Actions