Project

General

Profile

Bug #90

http_method content modifer is broken

Added by Will Metcalf about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
02/12/2010
Due date:
02/13/2010
% Done:

0%


Description

processing the attached pcap the following signature should not fire at all, yet I get around 280 alerts although this number varies.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"http_method is broken"; flow:to_server; content:"GET"; http_method; uricontent:"/some/content"; nocase; sid:2; rev:2;)

sudo src/suricata c suricata.yaml -r ../fpsid15481.pcap -l ./ -s blah.rules
....
[11866] 12/2/2010 -
08:59:36 - (alert-fastlog.c:207) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 274
[11866] 12/2/2010 -- 08:59:36 - (log-httplog.c:225) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 1
[11866] 12/2/2010 -- 08:59:36 - (alert-debuglog.c:235) <Info> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 274

fpsid15481.pcap - fp's using http_method modifier (473 KB) Will Metcalf, 02/12/2010 08:37 AM

History

#1 Updated by Brian Rectanus about 6 years ago

  • Assignee changed from OISF Dev to Brian Rectanus

I'll look into it.

#2 Updated by Brian Rectanus almost 6 years ago

Looks like the same issue affects http_cookie.

#3 Updated by Victor Julien almost 6 years ago

  • Assignee changed from Brian Rectanus to Victor Julien

I think it's related to the SigMatchReplace code somehow. I'll work on this today.

#4 Updated by Victor Julien almost 6 years ago

  • Status changed from New to Closed

Will be fixed in new master.

Also available in: Atom PDF