Project

General

Profile

Actions
Copy link

Task #5483

open

Bug #4286: FN occurs when using negated isdataat with http_cookie keyword

SV tests to demonstrate false negative behavior for negated isdataat with http_cookie keyword (bug 4286)

Added by Juliana Fajardini Reichow over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
QA
Effort:
Difficulty:
Label:

Description

A test like this can also work to exemplify usage for documentation purposes.

From the original bug report:

Given a sample of traffic such as:

GET /somestuff HTTP/1.1
Accept: */*
Cookie: id=234524dst35e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1)
Host: google.com

We would expect the following to work:

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;)

However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions tested.

The rule works as expected with http.cookie (so this may also be a documentation issue - on content modifier positions).

Related issues 1 (1 open0 closed)

Related to Suricata - Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the ruleNewOISF DevActions
Actions
Copy link

Also available in: Atom PDF