Project

General

Profile

Actions

Bug #464

closed

Suricata http request double encoded null byte FN

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
ok Im continue my Suricata testing, tested with this cmd:
wget "http://192.168.1.1/a%2500b.c"
next, use only two Suricata signatures:
fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
not fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
Tested on suricata git at 16 May 2012. same results with v1.2.1.
Regards
Rmkml


Files

httpnullbytedoubleencoded.pcap (1.23 KB) httpnullbytedoubleencoded.pcap rmkml rmkml, 05/19/2012 04:02 PM
Actions

Also available in: Atom PDF