Bug #5541
closedUnexpected behavior of `endswith` in combination with negated content matches
Description
Please consider the following rule and attached pcaps.
The intention of the rule is to alert when the http.host buffer does not end with .google.com
alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;)
However, in practice the endswith;
keyword (and the use of isdataat:!1,relative
) seems to have no effect on the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative.
If the http host of www.google.com.example.com
is provided, the negation appears to take effect and no alert is triggered, despite the buffer not ending with .google.com
In the attached pcaps, I would expect the above signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative.
Files
Updated by Jeff Lucovsky almost 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Jeff Lucovsky over 1 year ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky over 1 year ago
- Status changed from In Review to Closed
Updated by Victor Julien over 1 year ago
- Target version changed from TBD to 7.0.0-rc2
- Label Needs backport to 6.0 added
Updated by Jeff Lucovsky over 1 year ago
- Status changed from Closed to Resolved
Moving to resolved for ticket-bot action: create 6.0.x backport ticket.