<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>Hi Anoop,<div>Im opened a new redmine ticket #508.</div><div>and added a pcap file.</div><div>Regards</div><div>Rmkml</div><div><br></div></body></html><br><br>
-------- Original message --------
Subject: Re: [Oisf-devel] Suricata FN on http_header or http_user_agent
From: Anoop Saldanha <anoopsaldanha@gmail.com>
To: rmkml@yahoo.fr
CC: oisf-devel@openinfosecfoundation.org
<br><br><body><div style="word-break:break-all;">Hi rmkml,<br><br>Can you open a bug on this?<br><br>On Tue, Jul 17, 2012 at 9:28 PM, rmkml@yahoo.fr <rmkml@yahoo.fr> wrote:<br>> Hi,<br>> Anyone confirm my strange results please? If yes Im open a new redmine<br>> ticket.<br>><br>> ok start a wget http request :<br>> wget --user-agent="Mozilla\";" http://x.y.com<br>> (results are User-Agent: Mozilla"; )<br>><br>> 1) ok create a very simple sig, Suricata fire:<br>> ... flow:to_server,established; content:"\"\;"; ...<br>><br>><br>> 2) another sig but Suricata not fire, why?<br>> ... flow:to_server,established; content:"\"\;"; http_header; ...<br>><br>><br>> 3) another sig but Suricata not fire, why?<br>> ... flow:to_server,established; content:"\"\;"; http_user_agent; ...<br>><br>> Same pb when replace " to |22|<br>> or ; to |3b|.<br>><br>> Of course Snort fire every times.<br>> Regards<br>> Rmkml<br>><br>><br>> _______________________________________________<br>> Oisf-devel mailing list<br>> Oisf-devel@openinfosecfoundation.org<br>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel<br><br><br><br>-- <br>Anoop Saldanha<br></div> </body>