[Oisf-devel] suricata strange alert with uricontent and negate pcre_U

rmkml rmkml at free.fr
Thu May 20 18:24:05 UTC 2010


Hi,
Im play with suricata and Im a "strange" alert with this sig:
  alert tcp any any -> any 80 (msg:"suricata test pcre"; flow:to_server,established; uricontent:".htm"; pcre:!"/\.ht[a-z0-9]/U";
  classtype:web-application-activity; sid:999136; rev:1;)
with this uri, suricata alert firing (FP):
  01/07/09-23:02:15.452205  [**] [1:93136:1] suricata test pcre [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {6} 10.50.1.80:2828 -> 157.212.42.59:80
Joigned anonymising pcap (but same result than original).
what is strange? because for me, client sended http request splited in two push packet, first push contains post uri (contains .htm but pcre not 
working here #1) but timestamp on suricata alert is for second packet (#2).
Anyone test/confirm this two pb please?
Snort don't alert.
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafpuricontentpcrenegate20may2010.pcap
Type: application/cap
Size: 1550 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100520/5bb22777/attachment.bin>


More information about the Oisf-devel mailing list