Project

General

Profile

Actions

Bug #4210

closed

Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode

Added by Jeff Lucovsky over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

From https://forum.suricata.io/t/transformation-keyword-cant-trigger-an-alert/881/3

Use the attached pcap

These 2 rules generate 2 alerts

alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)

These 2 rules generate 0 alerts

alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg:"detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)


Files

http-forum.pcap (2.03 KB) http-forum.pcap Jeff Lucovsky, 12/08/2020 02:33 PM

Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #4199: Transformation keyword can’t trigger an alert ClosedVictor JulienActions
Actions

Also available in: Atom PDF