[Oisf-devel] complex FP with suricata
Victor Julien
victor at inliniac.net
Wed Jan 5 08:52:54 UTC 2011
Hi Rmkml, I've been able to reproduce this issue. Please go ahead and
open a ticket.
Thanks!
Victor
On 12/21/2010 10:54 PM, rmkml wrote:
> Hi,
> Congratulations for new Suricata version 1.1beta1!
>
> Im found a "complex" FP pb with this version (and previous if I remember
> correctly).
> ok first download full Emerging Threat suricata version today (~5.9M):
> http://rules.emergingthreats.net/open/suricata/emerging-all.rules
>
> and simply add this rule:
> alert tcp any any -> any 80 (msg:"suricata ht ext FP";
> flow:to_server,established; uricontent:".ht"; nocase;
> pcre:!"/\.ht[a-z0-9]/Ui"; classtype:web-application-activity;
> sid:931362; rev:1;)
>
> and start suricata ten times with my joigned pcap file:
> ...
> 12/21/2010-11:15:23.619639 [**] [1:931362:1] suricata ht ext FP [**]
> [Classification: access to a potentially vulnerable web application]
> [Priority: 3] {TCP} 192.168.1.80:50966 -> 66.35.45.157:80
> ...
>
> my joigned pcap file contains http request like:
> ...
> GET./index.html.HTTP/1.1
> ...
>
> and next, simply remove emerging-all.rules file and restart suricata: no
> alert!
>
> If anyone check/confirm this: Im open a new ticket on redmine.
>
> Regards
> Rmkml
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list