Bug #4286
Updated by Victor Julien 10 days ago
Given a sample of traffic such as: <pre> GET /somestuff HTTP/1.1 Accept: */* Cookie: id=234524dst35e User-Agent: Mozilla/4.0 (compatible; MSIE 6.0000; Windows NT 5.1; SV1) Host: google.com </pre> We would expect the following to work: alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; content:"id="; depth:3; isdataat:!13,relative; http_cookie;) However, the rule does not fire as expected in any of the 4.0.x, 4.1.x, 5.x versions I tested on. If we switch the rule to use http.cookie, the rule works as expected.