Project

General

Profile

Actions

Bug #508

closed

Suricata FN on http_header or http_user_agent

Added by rmkml rmkml over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

ok start a wget http request :
wget --user-agent="Mozilla\";" http://x.y.com
(results are User-Agent: Mozilla"; )
Joigned a pcap file.

1) ok create a very simple sig, Suricata fire:
... flow:to_server,established; content:"\"\;"; ...

2) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_header; ...

3) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_user_agent; ...

Same pb when replace " to |22|
or ; to |3b|.

Of course Snort fire every times.
Regards
Rmkml


Files

Actions

Also available in: Atom PDF