[Oisf-devel] another request Suricata v1.3.0beta1 for dsize and uri*

[Victor Julien]

On 04/05/2012 11:54 PM, rmkml wrote:
> Hi,
> 
> Anyone check why another this sig not work please?
> I another request support it because dsize and http_uri/uricontent like this:
> 
> alert tcp any any -> any 80 (msg:"dsize and flow"; flow:to_server,established; dsize:>1; content:"/abc"; http_uri; classtype:web-application-activity; sid:1820948; rev:1;)

In what case would this be useful?

> Suricata error:
> 5/4/2012 -- 23:48:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with 
> stream / state matching by matching on app layer proto (like using http_* keywords).

This error message explains it. Dsize matches on a specific packet's
payload size. Http uri is inspected in the reassembled stream/http state
context. These won't happen in a single packet, so the sig can never
match. Thus we reject it.

> 5/4/2012 -- 23:48:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any 80 (msg:"dsize and 
> flow"; flow:to_server,established; dsize:>1; content:"/abc"; http_uri; classtype:web-application-activity; sid:1820948; rev:1;)" from file 
> test.rules at line 3
> 
> If anyone confirm, Im open a new redmine ticket.

It's by design, so no ticket is needed.

> One sig exist on Emerging threats generate an error of course:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000; 
> content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; 
> reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:6;)

Rev 7 addressed this, are you testing with up2date rules?

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------