[Oisf-devel] FP with Suricata v1.4.6 and negated http_raw_uri
Victor Julien
victor at inliniac.net
Mon Nov 11 09:16:05 UTC 2013
On 11/09/2013 01:49 AM, rmkml wrote:
> Hi,
>
> First, thx you for very good IPS/IDS Suricata engine !
>
> ok I'm continu my testing and found a new FP,
>
> if anyone confirm, I'm open a new redmine ticket.
>
> Joigned pcap file generated with:
> (curl http v1.1 pipelining)
>
> curl -v
> http://www.debian-fr.org/styles/debianfr2/theme/images/icon_mini_faq.gif
> http://www.debian-fr.org/download/file.php?avatar=7.png
>
> Suricata v1.4.6 fire with only this sig: (negated http_raw_uri)
>
> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
> flow:to_server,established; content:".php"; nocase; http_uri;
> content:!"="; http_raw_uri; classtype:attempted-admin; sid:1; rev:1; )
>
> 11/09/2013-01:33:52.103607 [**] [1:1:1] test negated http_raw_uri [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {TCP} 192.168.1.2:46553 -> 91.121.50.62:80
>
> Of course snort not fire.
>
>
> Suricata v1.4.6 not fire with negated http_uri:
>
> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
> flow:to_server,established; content:".php"; nocase; http_uri;
> content:!"="; http_uri; classtype:attempted-admin; sid:2; rev:1; )
This looks like a consequence of how we handle transactions in 1.4. In
2.0dev this is fixed, there all HTTP inspection is strictly done per TX.
Feel free to open a ticket, but the fix will be 2.0.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list