<div>Hi,</div>
<div> </div>
<div>I will try to reproduce your findings</div>
<div>A quick qestion - what do you expect of  { pcre:"/^[^\n]{5}/P";  } ?</div>
<div> </div>
<div>thanks<br><br></div>
<div class="gmail_quote">On Thu, Apr 19, 2012 at 1:58 AM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr">rmkml@yahoo.fr</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Hi,<br><br>Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found strange results with these sigs not fire:<br>
<br>alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; isdataat:1; classtype:web-application-<u></u>activity; sid:90011667; rev:1;)<br><br>alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; pcre:"/^[^\n]{5}/P"; classtype:web-application-<u></u>activity; sid:90011668; rev:1;)<br>
<br>alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; content:"galid"; nocase; http_client_body; classtype:web-application-<u></u>activity; sid:90011669; rev:1;)<br><br><br>
Tested with these two http commands:<br> wget <a href="http://192.168.1.1/abcd.php" target="_blank">http://192.168.1.1/abcd.php</a> --post-data="galid=abcdzad&<u></u>dzadzza=dzadzdza"<br> curl <a href="http://192.168.1.1/abcd.php" target="_blank">http://192.168.1.1/abcd.php</a> --data "galid=abcdzad&dzadzza=<u></u>dzadzdza"<br>
<br>Joigned my two pcap for replaying.<br>No suricata error.<br>Disabled cksum validation.<br><br>Im sure Im totaly wrong but if someone check/confirm please ? if ok Im open a new redmine ticket.<br>Of course, snort always fire.<br>
Regards<br>Rmkml<br><br><a href="http://twitter.com/rmkml" target="_blank">http://twitter.com/rmkml</a><br>_______________________________________________<br>Oisf-devel mailing list<br><a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br></blockquote></div><br><br clear="all"><br>-- <br>
<div>Regards,</div>
<div>Peter Manev</div><br>