Bug #5541
closedUnexpected behavior of `endswith` in combination with negated content matches
Description
Please consider the following rule and attached pcaps.
The intention of the rule is to alert when the http.host buffer does not end with .google.com
alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;)
However, in practice the endswith; keyword (and the use of isdataat:!1,relative) seems to have no effect on the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative.
If the http host of www.google.com.example.com is provided, the negation appears to take effect and no alert is triggered, despite the buffer not ending with .google.com
In the attached pcaps, I would expect the above signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative.
Files
BM Updated by Brandon Murphy over 3 years ago
- Description updated (diff)
JL Updated by Jeff Lucovsky about 3 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
JL Updated by Jeff Lucovsky about 3 years ago
- Status changed from Assigned to In Review
JL Updated by Jeff Lucovsky almost 3 years ago
- Status changed from In Review to Closed
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from TBD to 7.0.0-rc2
- Label Needs backport to 6.0 added
JL Updated by Jeff Lucovsky almost 3 years ago
- Status changed from Closed to Resolved
Moving to resolved for ticket-bot action: create 6.0.x backport ticket.
OT Updated by OISF Ticketbot almost 3 years ago
- Subtask #6007 added
OT Updated by OISF Ticketbot almost 3 years ago
- Label deleted (
Needs backport to 6.0)
VJ Updated by Victor Julien almost 3 years ago
- Status changed from Resolved to Closed