Project

General

Profile

Actions
Copy link

Bug #464

closed
RR VJ

Suricata http request double encoded null byte FN

Bug #464: Suricata http request double encoded null byte FN

Added by rmkml rmkml almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.3.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
ok Im continue my Suricata testing, tested with this cmd:
wget "http://192.168.1.1/a%2500b.c"
next, use only two Suricata signatures:
fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
not fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
Tested on suricata git at 16 May 2012. same results with v1.2.1.
Regards
Rmkml

Files

httpnullbytedoubleencoded.pcap (1.23 KB) httpnullbytedoubleencoded.pcap rmkml rmkml, 05/19/2012 04:02 PM
Actions
Copy link

Also available in: PDF Atom