[Oisf-devel] request enhance Suricata v1.3.0beta1 for file_data and negate http_header

[eileen donlon]

Hi,

Believe this rule will work if you put the http_header content first:

alert tcp any 80 -> any any (msg:"negate content http_header";
flow:to_client,established; content:!"def"; http_header; file_data;
content:"abc"; distance:0; classtype:web-application-activity;
sid:92891232; rev:1;)

Don't think distance:0 does anything in this rule so it could be removed.

Regards,
Eileen

On Thu, Apr 5, 2012 at 5:34 PM, rmkml <rmkml at yahoo.fr> wrote:

> Hi,
>
> Anyone check why this sig not work please?
> I request support it because first content are "linked" with file_data,
> and second negated content are linke with http_header:
>
> alert tcp any 80 -> any any (msg:"negate content http_header";
> flow:to_client,established; file_data; content:"abc"; distance:0;
> content:!"def"; http_header; classtype:web-application-activity;
> sid:92891232; rev:1;)
>
> Suricata error:
> 5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> "http_header" keyword found inside the rule without a content context.
> Please use a "content" keyword before using the "http_header" keyword
> 5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert tcp any 80 -> any any (msg:"negate content
> http_header"; flow:to_client,established; file_data; content:"abc";
> distance:0; content:!"def"; http_header;
> classtype:web-application-activity; sid:92891232; rev:1;)" from file
> test.rules at line 1
>
> If anyone confirm, Im open a new redmine ticket.
>
> Regards
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120405/79131015/attachment-0002.html>