Bug #90

http_method content modifer is broken

Added by Will Metcalf about 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:02/12/2010
Priority:NormalDue date:02/13/2010
Assignee:Victor Julien% Done:

0%

Category:-Estimated time:2.50 hours
Target version:0.8.1

Description

processing the attached pcap the following signature should not fire at all, yet I get around 280 alerts although this number varies.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"http_method is broken"; flow:to_server; content:"GET"; http_method; uricontent:"/some/content"; nocase; sid:2; rev:2;)

sudo src/suricata c suricata.yaml -r ../fpsid15481.pcap -l ./ -s blah.rules
....
[11866] 12/2/2010 -
08:59:36 - (alert-fastlog.c:207) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 274
[11866] 12/2/2010 -- 08:59:36 - (log-httplog.c:225) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 1
[11866] 12/2/2010 -- 08:59:36 - (alert-debuglog.c:235) <Info> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 274

fpsid15481.pcap - fp's using http_method modifier (473 KB) Will Metcalf, 02/12/2010 08:37 AM

History

#1 Updated by Brian Rectanus about 4 years ago

  • Assignee changed from OISF Dev to Brian Rectanus

I'll look into it.

#2 Updated by Brian Rectanus about 4 years ago

Looks like the same issue affects http_cookie.

#3 Updated by Victor Julien about 4 years ago

  • Assignee changed from Brian Rectanus to Victor Julien

I think it's related to the SigMatchReplace code somehow. I'll work on this today.

#4 Updated by Victor Julien about 4 years ago

  • Status changed from New to Closed

Will be fixed in new master.

Also available in: Atom PDF