Actions
Bug #90
closedhttp_method content modifer is broken
Affected Versions:
Effort:
Difficulty:
Label:
Description
processing the attached pcap the following signature should not fire at all, yet I get around 280 alerts although this number varies.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"http_method is broken"; flow:to_server; content:"GET"; http_method; uricontent:"/some/content"; nocase; sid:2; rev:2;)
sudo src/suricata c suricata.yaml -r ../fpsid15481.pcap -l ./ -s blah.rules 08:59:36 - (alert-fastlog.c:207) <Info> (AlertFastLogExitPrintStats) -- (Outputs) Alerts 274
....
[11866] 12/2/2010 -
[11866] 12/2/2010 -- 08:59:36 - (log-httplog.c:225) <Info> (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 1
[11866] 12/2/2010 -- 08:59:36 - (alert-debuglog.c:235) <Info> (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 274
Files
Actions