[Oisf-devel] suricata strange alert with uricontent and negate pcre_U

rmkml rmkml at free.fr
Thu May 20 18:24:05 UTC 2010

Im play with suricata and Im a "strange" alert with this sig:
  alert tcp any any -> any 80 (msg:"suricata test pcre"; flow:to_server,established; uricontent:".htm"; pcre:!"/\.ht[a-z0-9]/U";
  classtype:web-application-activity; sid:999136; rev:1;)
with this uri, suricata alert firing (FP):
  01/07/09-23:02:15.452205  [**] [1:93136:1] suricata test pcre [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {6} ->
Joigned anonymising pcap (but same result than original).
what is strange? because for me, client sended http request splited in two push packet, first push contains post uri (contains .htm but pcre not 
working here #1) but timestamp on suricata alert is for second packet (#2).
Anyone test/confirm this two pb please?
Snort don't alert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafpuricontentpcrenegate20may2010.pcap
Type: application/cap
Size: 1550 bytes
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100520/5bb22777/attachment.bin>

More information about the Oisf-devel mailing list