Project

General

Profile

Bug #452

FN on http POST query suricata v1.2.1?

Added by rmkml rmkml over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:

Description

Hi,

Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found strange results with these sigs not fire:

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; isdataat:1; classtype:web-application-activity; sid:90011667; rev:1;)

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; pcre:"/^[^\n]{5}/P"; classtype:web-application-activity; sid:90011668; rev:1;)

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; content:"galid"; nocase; http_client_body; classtype:web-application-activity; sid:90011669; rev:1;)

Tested with these two http commands:
wget http://192.168.1.1/abcd.php --post-data="galid=abcdzad&dzadzza=dzadzdza"
curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"

Joigned my two pcap for replaying.
No suricata error.
Disabled cksum validation.

Im sure Im totaly wrong but if someone check/confirm please ?
Of course, snort always fire.
Regards
Rmkml

History

#1 Updated by Anoop Saldanha over 6 years ago

  • Assignee set to Anoop Saldanha

#2 Updated by Anoop Saldanha over 6 years ago

patches attached. Fixes the fn for the first rule. The other 2 rules aren't related to the bug from the first one.

#3 Updated by Anoop Saldanha over 6 years ago

patch attached that fixes the client/server body rules FN.

All 3 rules should alert now.

#4 Updated by Anoop Saldanha over 6 years ago

  • Status changed from New to Resolved

#5 Updated by Victor Julien over 6 years ago

Patches 1 and 2 remove a NULL pointer check AFAICS, is that safe?

Applied 3.

#6 Updated by Anoop Saldanha over 6 years ago

yeah, that's safe. We fix a bug actually. We would have been FN'ing previously

#7 Updated by Victor Julien over 6 years ago

  • Status changed from Resolved to Closed
  • Target version set to 1.3beta1
  • % Done changed from 0 to 100

Cool. Applied 1 and 2 as well. Thanks.

#8 Updated by Victor Julien over 6 years ago

  • Target version changed from 1.3beta1 to 1.3beta2

Also available in: Atom PDF