Actions
Bug #4286
opendetect: FN due to setup failure with http_cookie after isdataat
Affected Versions:
Effort:
Difficulty:
Label:
Needs Suricata-Verify test
Description
Given a sample of traffic such as:
GET /somestuff HTTP/1.1 Accept: */* Cookie: id=234524dst35e User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1) Host: google.com
We would expect the following to work:
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;)
However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions I tested on.
If we switch the rule to use http.cookie, the rule works as expected.
Updated by Philippe Antoine almost 5 years ago
- Is duplicate of Bug #2479: http_cookie negation fails if no cookie in traffic added
Updated by Victor Julien over 3 years ago
- Is duplicate of deleted (Bug #2479: http_cookie negation fails if no cookie in traffic)
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to Task #5483: SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286) added
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to deleted (Task #5483: SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286))
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the rule added
Updated by Victor Julien over 2 years ago
- Label Needs Suricata-Verify test added
Updated by Philippe Antoine over 1 year ago
- Target version set to TBD
If we switch the rule to use http.cookie, the rule works as expected
So, I wonder if there is anything to do...
Updated by Philippe Antoine over 1 year ago
- Status changed from New to Feedback
- Assignee set to Community Ticket
Updated by Philippe Antoine 11 months ago
@Jason Taylor could we close this ticket ?
Updated by Victor Julien 10 days ago ยท Edited
These 2 work
http.cookie; content:"id="; depth:3; isdataat:!13,relative; sid:1; content:"id="; depth:3; http_cookie; isdataat:!13,relative; sid:2;
Sid 1 with
http.cookie works because it is a sticky buffer.Sid 2 with
http_cookie after the content works because it converts the content to the http_cookie buffer before the relative isdataat is set up and thus also added to http_cookie buffer.
This one does not:
content:"id="; depth:3; isdataat:!13,relative; http_cookie; sid:3;
Sid 3 fails because content and isdataat are initially set up for raw content / stream. The
http_cookie modifier then moves only the content over to the http_cookie list, but not the isdataat.
This is related to #1926.
Updated by Victor Julien 10 days ago
- Subject changed from FN occurs when using negated isdataat with http_cookie keyword to detect: FN due to setup failure with http_cookie after isdataat
Updated by Victor Julien 10 days ago
Updated by Victor Julien 10 days ago
- Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
Actions