[Oisf-devel] complex FP with suricata

rmkml rmkml at yahoo.fr
Tue Dec 21 21:54:16 UTC 2010


Hi,
Congratulations for new Suricata version 1.1beta1!

Im found a "complex" FP pb with this version (and previous if I remember correctly).
ok first download full Emerging Threat suricata version today (~5.9M):
  http://rules.emergingthreats.net/open/suricata/emerging-all.rules

and simply add this rule:
  alert tcp any any -> any 80 (msg:"suricata ht ext FP"; flow:to_server,established; uricontent:".ht"; nocase; pcre:!"/\.ht[a-z0-9]/Ui"; classtype:web-application-activity; sid:931362; rev:1;)

and start suricata ten times with my joigned pcap file:
  ...
  12/21/2010-11:15:23.619639  [**] [1:931362:1] suricata ht ext FP [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {TCP} 192.168.1.80:50966 -> 66.35.45.157:80
  ...

my joigned pcap file contains http request like:
  ...
  GET./index.html.HTTP/1.1
  ...

and next, simply remove emerging-all.rules file and restart suricata: no alert!

If anyone check/confirm this: Im open a new ticket on redmine.

Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafphtextflowbitspcre.pcap.bz2
Type: application/x-bzip2
Size: 33115 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20101221/18e3f77f/attachment.bin>


More information about the Oisf-devel mailing list