<div dir="ltr">If Suri supports it first, is it breaking compat with snort? (I think this was the case..) I would say that the bug is that suri 2.0 does not give an error on this condition. Unless the decision was made to treat distance/within like depth/offset. when no previous buffer was specified. While this might be snort compat, I think it's a bad choice. depth/offset should be from the start of packet/stream/buffer distance/within should be forced to have a previous match in the same packet/stream/buffer IMHO.<div>
<br></div><div>Regards,</div><div><br></div><div>Will</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 4, 2014 at 3:08 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thx Will for feedback,<br>
<br>
Yes you are right, pcre IR or UR work (sid 3 and 6),<br>
but before suri v2.0beta2, suri errors if pcre R+^ relative http_raw_uri/http_uri (sid 2 and 5).<br>
Maybe back error on suri v2 ? (because suri not fire)<br>
<br>
FYI, snort v2960 fire if pcre R+^ relative http_raw_uri/http_uri (sid 2 and 5).<br>
but errors if pcre IR or UR... (sid 3 and 6)<br>
(break suri / snort compatibility?)<br>
<br>
Tested with:<br>
alert tcp any any -> any 80 (msg:"Testing Rule1"; content:"baduricontent"; http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)<br>
alert tcp any any -> any 80 (msg:"Testing Rule2"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)<br>
alert tcp any any -> any 80 (msg:"Testing Rule3"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:3; rev:2;)<br>
alert tcp any any -> any 80 (msg:"Testing Rule4"; content:"baduricontent"; http_uri; pcre:"/[a-z]{5}\.html/R"; sid:4; rev:2;)<br>
alert tcp any any -> any 80 (msg:"Testing Rule5"; content:"baduricontent"; http_uri; pcre:"/^[a-z]{5}\.html/R"; sid:5; rev:2;)<br>
alert tcp any any -> any 80 (msg:"Testing Rule6"; content:"baduricontent"; http_uri; pcre:"/^[a-z]{5}\.html/UR"; sid:6; rev:2;)<br>
<br>
(pcap previously sended)<br>
<br>
Regards<span class="HOEnZb"><font color="#888888"><br>
@Rmkml</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On Tue, 4 Feb 2014, Will Metcalf wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
You need to specify relative pcre matches like this, then it works... Note the "I".<br>
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:2; rev:2;)<br>
<br>
<br>
<br>
On Tue, Feb 4, 2014 at 9:50 AM, rmkml <<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>> wrote:<br>
Thx Anoop,<br>
<br>
opened Suricata redmine ticket #1098.<br>
<br>
Thx for your time.<br>
@Rmkml<br>
<br>
<br>
On Mon, 3 Feb 2014, Anoop Saldanha wrote:<br>
<br>
rmkml,<br>
<br>
If that specific case isn't firing, that's a bug indeed. Can you<br>
please open a ticket for it?<br>
<br>
On Sat, Feb 1, 2014 at 3:58 AM, rmkml <<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>> wrote:<br>
Hi Harley,<br>
<br>
Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.<br>
<br>
<br>
oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm<br>
explain:<br>
If you add ^ on pcre begin, suricata not fire with this uri:<br>
baduricontentabcde.html<br>
(It's fire on snort)<br>
<br>
fire on suri v2:<br>
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";<br>
http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)<br>
<br>
not fire on suri v2:<br>
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";<br>
http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)<br>
<br>
Tested with: wget <a href="http://google.com/baduricontentabcde.html" target="_blank">http://google.com/<u></u>baduricontentabcde.html</a><br>
(joigned pcap file)<br>
<br>
Anyone confirm please ?<br>
<br>
Regards<br>
@Rmkml<br>
<br>
<br>
<br>
<br>
<br>
On Fri, 31 Jan 2014, Harley H wrote:<br>
<br>
Good catch but that's a typo. I typed the rule in vice copying/pasting<br>
like I should have.<br>
<br>
<br>
On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellsk?l<br>
<<a href="mailto:edwardfjellskaal@gmail.com" target="_blank">edwardfjellskaal@gmail.com</a>> wrote:<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
"/[a-z]{5}.html"/R"<br>
<br>
<br>
is there a " to much?<br>
<br>
E<br>
<br>
On 01/31/2014 10:40 PM, Harley H wrote:<br>
Hello, I was going to submit this through Redmine but I'm not<br>
receiving the account activation email. I'm trying to write a rule<br>
like this:<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing<br>
Rule"; content: "baduricontent"; http_raw_uri; pcre:<br>
"/[a-z]{5}.html"/R"; sid: 123; rev: 1;)<br>
<br>
But am receiving this error message:<br>
<br>
31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>
SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent<br>
or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp<br>
$HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:<br>
"baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:<br>
98765; rev: 1;)" from file<br>
/root/Desktop/Local_Workspace/<u></u>IDS_Rules/testing.rules at line 1<br>
<br>
<br>
When I get rid of 'http_raw_uri' and replace that 'content' with<br>
'uricontent' the same error message is produced.<br>
<br>
-Harley<br>
</blockquote>
</div></div></blockquote></div><br></div>