[Oisf-devel] request enhance Suricata v1.3.0beta1 for file_data and negate http_header

Victor Julien victor at inliniac.net
Fri Apr 6 07:54:26 UTC 2012 

On 04/05/2012 11:10 PM, eileen donlon wrote:
> Hi,
> 
> Believe this rule will work if you put the http_header content first:

Yes, this is because all contents after "file_data" are considered to be
part of file_data, so the http_header doesn't work with them.

> alert tcp any 80 -> any any (msg:"negate content http_header";
> flow:to_client,established; content:!"def"; http_header; file_data;
> content:"abc"; distance:0; classtype:web-application-activity;
> sid:92891232; rev:1;)
> 
> Don't think distance:0 does anything in this rule so it could be removed.

Thats correct.

Cheers,
Victor

> Regards,
> Eileen
> 
> On Thu, Apr 5, 2012 at 5:34 PM, rmkml <rmkml at yahoo.fr
> <mailto:rmkml at yahoo.fr>> wrote:
> 
>     Hi,
> 
>     Anyone check why this sig not work please?
>     I request support it because first content are "linked" with file_data,
>     and second negated content are linke with http_header:
> 
>     alert tcp any 80 -> any any (msg:"negate content http_header";
>     flow:to_client,established; file_data; content:"abc"; distance:0;
>     content:!"def"; http_header; classtype:web-application-activity;
>     sid:92891232; rev:1;)
> 
>     Suricata error:
>     5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>     SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside
>     the rule without a content context.
>     Please use a "content" keyword before using the "http_header" keyword
>     5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>     SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>     any 80 -> any any (msg:"negate content
>     http_header"; flow:to_client,established; file_data; content:"abc";
>     distance:0; content:!"def"; http_header;
>     classtype:web-application-activity; sid:92891232; rev:1;)" from file
>     test.rules at line 1
> 
>     If anyone confirm, Im open a new redmine ticket.
> 
>     Regards
>     Rmkml
>     _______________________________________________
>     Oisf-devel mailing list
>     Oisf-devel at openinfosecfoundation.org
>     <mailto:Oisf-devel at openinfosecfoundation.org>
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 
> 
> 
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list