Bug #508: Suricata FN on http_header or http_user_agent - Suricata - Open Information Security Foundation

Actions

Bug #508

closed

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,

ok start a wget http request :
wget --user-agent="Mozilla\";" http://x.y.com
(results are User-Agent: Mozilla"; )
Joigned a pcap file.

1) ok create a very simple sig, Suricata fire:
... flow:to_server,established; content:"\"\;"; ...

2) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_header; ...

3) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_user_agent; ...

Same pb when replace " to |22|
or ; to |3b|.

Of course Snort fire every times.
Regards
Rmkml

Files

Download all files

suricata1.pcap (1.64 KB) suricata1.pcap		rmkml rmkml, 07/17/2012 03:58 PM
0001-bug-508-List-ack-cwr-ecn-combination-to-be-accepted-.patch (1.49 KB) 0001-bug-508-List-ack-cwr-ecn-combination-to-be-accepted-.patch		Anoop Saldanha, 07/19/2012 03:21 AM

Actions

Also available in: Atom PDF