Bug #5176: False positive when negated content is far ahead of matching content. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5176

open

False positive when negated content is far ahead of matching content.

Added by Brandon Murphy about 2 years ago. Updated about 2 years ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

5.0.8, 6.0.4, git master

Effort:

Difficulty:

Label:

Description

In looking at alerts for a signature designed to detect powershell command line options returned by http servers, but not part of an HTML page, many false positives were discovered. I have been able to able to reliability reproduce the False Positive alert with the attached pcap gathered from any.run.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"test with http buffers - SHOULD NOT ALERT"; flow:established,from_server; http.response_body; content:!"<html"; content:"-ExecutionPolicy"; nocase; sid:1;)

Files

f38cbd74-d97e-4b1a-94d9-527eb4a7ad3f.pcap (720 KB) f38cbd74-d97e-4b1a-94d9-527eb4a7ad3f.pcap

Brandon Murphy, 03/06/2022 03:07 AM

History
Notes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5176

False positive when negated content is far ahead of matching content.

Updated by Jeff Lucovsky about 2 years ago

Updated by Victor Julien about 2 years ago