[Oisf-devel] suricata strange alert with uricontent and negate pcre_U
Will Metcalf
william.metcalf at gmail.com
Thu May 20 20:48:55 UTC 2010
Sounds like this is related to bug 109 or bug 124.
Regards,
Will
On Thu, May 20, 2010 at 1:24 PM, rmkml <rmkml at free.fr> wrote:
> Hi,
> Im play with suricata and Im a "strange" alert with this sig:
> alert tcp any any -> any 80 (msg:"suricata test pcre";
> flow:to_server,established; uricontent:".htm"; pcre:!"/\.ht[a-z0-9]/U";
> classtype:web-application-activity; sid:999136; rev:1;)
> with this uri, suricata alert firing (FP):
> 01/07/09-23:02:15.452205 [**] [1:93136:1] suricata test pcre [**]
> [Classification: access to a potentially vulnerable web application]
> [Priority: 3] {6} 10.50.1.80:2828 -> 157.212.42.59:80
> Joigned anonymising pcap (but same result than original).
> what is strange? because for me, client sended http request splited in two
> push packet, first push contains post uri (contains .htm but pcre not
> working here #1) but timestamp on suricata alert is for second packet (#2).
> Anyone test/confirm this two pb please?
> Snort don't alert.
> Regards
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
More information about the Oisf-devel
mailing list