Project

General

Profile

Actions
Copy link

Bug #90

closed

http_method content modifer is broken

Added by Will Metcalf about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
0.8.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

processing the attached pcap the following signature should not fire at all, yet I get around 280 alerts although this number varies.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"http_method is broken"; flow:to_server; content:"GET"; http_method; uricontent:"/some/content"; nocase; sid:2; rev:2;)

sudo src/suricata c suricata.yaml -r ../fpsid15481.pcap -l ./ -s blah.rules
....
[11866] 12/2/2010 - 08:59:36 - (alert-fastlog.c:207) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 274
[11866] 12/2/2010 -- 08:59:36 - (log-httplog.c:225) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 1
[11866] 12/2/2010 -- 08:59:36 - (alert-debuglog.c:235) <Info> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 274

Files

fpsid15481.pcap (473 KB) fpsid15481.pcap fp's using http_method modifier Will Metcalf, 02/12/2010 08:37 AM
Actions
Copy link
 #1

Updated by Brian Rectanus about 14 years ago

  • Assignee changed from OISF Dev to Brian Rectanus

I'll look into it.

Actions
Copy link
 #2

Updated by Brian Rectanus about 14 years ago

Looks like the same issue affects http_cookie.

Actions
Copy link
 #3

Updated by Victor Julien about 14 years ago

  • Assignee changed from Brian Rectanus to Victor Julien

I think it's related to the SigMatchReplace code somehow. I'll work on this today.

Actions
Copy link
 #4

Updated by Victor Julien about 14 years ago

  • Status changed from New to Closed

Will be fixed in new master.

Actions
Copy link

Also available in: Atom PDF