Project

General

Profile

Actions

Feature #7322

open

ability to negate the existence of fields via buffer negation

Added by James Emery-Callcott about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

While writing hunting signatures today, we noticed that it is not possible to negate the existence of a buffer which we think would be valuable in several signature ideas.

For example - if we want to write a signature that looks for a HTTP POST request that contains a Content-Length header with a valid value but the traffic indicates that nothing is sent, http.request_body; is empty but there is no way to negate that or detect that the buffer is not present. We tried using isdataat, bsize:0;, and pcre:"/^$/"; which all fail (presumably because there is just no buffer there in the first place).


Related issues 1 (1 open0 closed)

Is duplicate of Suricata - Bug #2224: Negated http_* match returns false if buffer not populatedIn ReviewPhilippe AntoineActions
Actions #1

Updated by Victor Julien about 1 month ago

I think this is a duplicate of #2224, which is in development currently. You can perhaps test and give feedback on https://github.com/OISF/suricata/pull/11906

Actions #2

Updated by Victor Julien about 1 month ago

  • Is duplicate of Bug #2224: Negated http_* match returns false if buffer not populated added
Actions

Also available in: Atom PDF