Project

General

Profile

Actions

Bug #4286

open

FN occurs when using negated isdataat with http_cookie keyword

Added by Jason Taylor almost 4 years ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs Suricata-Verify test

Description

Given a sample of traffic such as:

GET /somestuff HTTP/1.1
Accept: */*
Cookie: id=234524dst35e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1)
Host: google.com

We would expect the following to work:

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;)

However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions I tested on.

If we switch the rule to use http.cookie, the rule works as expected.


Subtasks 1 (1 open0 closed)

Task #5483: SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286)NewOISF DevActions

Related issues 1 (1 open0 closed)

Related to Suricata - Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the ruleNewOISF DevActions
Actions #1

Updated by Philippe Antoine over 3 years ago

  • Is duplicate of Bug #2479: http_cookie negation fails if no cookie in traffic added
Actions #2

Updated by Victor Julien over 2 years ago

  • Is duplicate of deleted (Bug #2479: http_cookie negation fails if no cookie in traffic)
Actions #3

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to Task #5483: SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286) added
Actions #4

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to deleted (Task #5483: SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286))
Actions #5

Updated by Juliana Fajardini Reichow over 2 years ago

  • Subtask #5483 added
Actions #6

Updated by Juliana Fajardini Reichow over 2 years ago

  • Related to Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the rule added
Actions #7

Updated by Victor Julien over 1 year ago

  • Label Needs Suricata-Verify test added
Actions #8

Updated by Philippe Antoine 5 months ago

  • Target version set to TBD

If we switch the rule to use http.cookie, the rule works as expected

So, I wonder if there is anything to do...

Actions #9

Updated by Philippe Antoine 5 months ago

  • Status changed from New to Feedback
  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF