[Oisf-devel] FN with uri shoutbox.php on all Suricata versions

Victor Julien victor at inliniac.net
Sun Jul 25 13:10:39 UTC 2010

Can you retry this on the current (1 minute ago) git master?


rmkml at free.fr wrote:
> Hi,
> Anyone confirm this FN please?
> Tested on Suricata v0.9.2 v1.0.0 and git yesterday.
> I don't have good internet access so please try this:
> -record all network trafic like tcpdump
> -go to this uri, for exemple: http://www.Google.com/shoutbox.php
> -test this pcap with suricata and this old sid 2142 (detect simply uricontent
> /shoutbox.php)
> -first result: Suricata fire, good!
> -ok add this sig please:
>  alert tcp any 80 -> any any (msg:"test1"; flow:to_client,established;
> uricontent:"unknownabc"; nocase; sid:10; rev:1;)
> -With theses two sigs: Suricata not fire, why?
> Im open a new ticket if you confirm pb.
> Regards
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list