[Oisf-devel] FN with uri shoutbox.php on all Suricata versions
rmkml at free.fr
rmkml at free.fr
Fri Jul 23 10:40:47 UTC 2010
Hi,
Anyone confirm this FN please?
Tested on Suricata v0.9.2 v1.0.0 and git yesterday.
I don't have good internet access so please try this:
-record all network trafic like tcpdump
-go to this uri, for exemple: http://www.Google.com/shoutbox.php
-test this pcap with suricata and this old sid 2142 (detect simply uricontent
/shoutbox.php)
-first result: Suricata fire, good!
-ok add this sig please:
alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established;
uricontent:"unknownabc"; nocase; sid:10; rev:1;)
-With theses two sigs: Suricata not fire, why?
Im open a new ticket if you confirm pb.
Regards
Rmkml
More information about the Oisf-devel
mailing list