[Oisf-devel] FN on http POST query suricata v1.2.1?
Peter Manev
petermanev at gmail.com
Thu Apr 19 07:08:39 UTC 2012
Hi,
I will try to reproduce your findings
A quick qestion - what do you expect of { pcre:"/^[^\n]{5}/P"; } ?
thanks
On Thu, Apr 19, 2012 at 1:58 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found strange
> results with these sigs not fire:
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; isdataat:1; classtype:web-application-**activity;
> sid:90011667; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; pcre:"/^[^\n]{5}/P"; classtype:web-application-
> **activity; sid:90011668; rev:1;)
>
> alert tcp any any -> any 80 (msg:"FN suricata";
> flow:to_server,established; content:"galid"; nocase; http_client_body;
> classtype:web-application-**activity; sid:90011669; rev:1;)
>
>
> Tested with these two http commands:
> wget http://192.168.1.1/abcd.php --post-data="galid=abcdzad&**
> dzadzza=dzadzdza"
> curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=**
> dzadzdza"
>
> Joigned my two pcap for replaying.
> No suricata error.
> Disabled cksum validation.
>
> Im sure Im totaly wrong but if someone check/confirm please ? if ok Im
> open a new redmine ticket.
> Of course, snort always fire.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/0f38cf66/attachment-0002.html>
More information about the Oisf-devel
mailing list