Actions
Task #5483
openBug #4286: detect: FN due to setup failure with http_cookie after isdataat
SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286)
Effort:
Difficulty:
Label:
Description
A test like this can also work to exemplify usage for documentation purposes.
From the original bug report:
Given a sample of traffic such as: GET /somestuff HTTP/1.1 Accept: */* Cookie: id=234524dst35e User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1) Host: google.com We would expect the following to work: alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;) However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions tested.
The rule works as expected with http.cookie (so this may also be a documentation issue - on content modifier positions).
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to Bug #4286: detect: FN due to setup failure with http_cookie after isdataat added
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to deleted (Bug #4286: detect: FN due to setup failure with http_cookie after isdataat)
Updated by Juliana Fajardini Reichow over 3 years ago
- Related to Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the rule added
Updated by Juliana Fajardini Reichow almost 3 years ago
- Subject changed from create SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286) to SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286)
Updated by Victor Julien 4 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Victor Julien
Actions