Bug #4286: FN occurs when using negated isdataat with http_cookie keyword - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4286

open

FN occurs when using negated isdataat with http_cookie keyword

Added by Jason Taylor almost 4 years ago. Updated 5 months ago.

Status:

Feedback

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Affected Versions:

4.1.10

Effort:

Difficulty:

Label:

Needs Suricata-Verify test

Description

Given a sample of traffic such as:

GET /somestuff HTTP/1.1
Accept: */*
Cookie: id=234524dst35e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1)
Host: google.com

We would expect the following to work:

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;)

However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions I tested on.

If we switch the rule to use http.cookie, the rule works as expected.

Subtasks 1 (1 open — 0 closed)

Related issues 1 (1 open — 0 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4286

FN occurs when using negated isdataat with http_cookie keyword

Updated by Philippe Antoine over 3 years ago

Updated by Victor Julien over 2 years ago

Updated by Juliana Fajardini Reichow over 2 years ago

Updated by Juliana Fajardini Reichow over 2 years ago

Updated by Juliana Fajardini Reichow over 2 years ago

Updated by Juliana Fajardini Reichow over 2 years ago

Updated by Victor Julien over 1 year ago

Updated by Philippe Antoine 5 months ago

Updated by Philippe Antoine 5 months ago