[Oisf-devel] a small pb on suricata v0.8.2
rmkml
rmkml at free.fr
Tue Apr 20 07:14:13 UTC 2010
Hi,
First, Big Congratulations for new Suricata 0.8.2 release!
Second, I have a small pb with a signature/rule:
-this rule not detect/work: (WWW uppercase and space)
alert tcp any 80 -> any any (msg:"no1"; flow:to_client,established; content:"WWW-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000000; rev:1;)
-but small variant detect/work: (mix case and space)
alert tcp any 80 -> any any (msg:"ok1"; flow:to_client,established; content:"Www-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000001; rev:1;)
-another small variant detect/work: (WWW uppercase without space)
alert tcp any 80 -> any any (msg:"ok2"; flow:to_client,established; content:"WWW-Authenticate\:"; nocase; classtype:web-application-activity; sid:9000002; rev:1;)
Joigned pcap with good cksum (it's a live/real trafic, not fuzzing).
Tested without any another signatures/rules + output is fast option + pattern-matcher default b2g + host-os-policy are default or linux have same pb + libhtp use default-config but apache server-config have same pb.
If anyone have a idea?
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata082htppb_csdump306b.pcap.gz
Type: application/octet-stream
Size: 1965 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100420/116029ea/attachment.obj>
More information about the Oisf-devel
mailing list