[Oisf-devel] complex FP with suricata
rmkml
rmkml at yahoo.fr
Wed Jan 5 11:08:31 UTC 2011
Thx a lot Victor,
opened ticket 268.
Best Regards
Rmkml
On Wed, 5 Jan 2011, Victor Julien wrote:
> Hi Rmkml, I've been able to reproduce this issue. Please go ahead and
> open a ticket.
>
> Thanks!
> Victor
>
> On 12/21/2010 10:54 PM, rmkml wrote:
>> Hi,
>> Congratulations for new Suricata version 1.1beta1!
>>
>> Im found a "complex" FP pb with this version (and previous if I remember
>> correctly).
>> ok first download full Emerging Threat suricata version today (~5.9M):
>> http://rules.emergingthreats.net/open/suricata/emerging-all.rules
>>
>> and simply add this rule:
>> alert tcp any any -> any 80 (msg:"suricata ht ext FP";
>> flow:to_server,established; uricontent:".ht"; nocase;
>> pcre:!"/\.ht[a-z0-9]/Ui"; classtype:web-application-activity;
>> sid:931362; rev:1;)
>>
>> and start suricata ten times with my joigned pcap file:
>> ...
>> 12/21/2010-11:15:23.619639 [**] [1:931362:1] suricata ht ext FP [**]
>> [Classification: access to a potentially vulnerable web application]
>> [Priority: 3] {TCP} 192.168.1.80:50966 -> 66.35.45.157:80
>> ...
>>
>> my joigned pcap file contains http request like:
>> ...
>> GET./index.html.HTTP/1.1
>> ...
>>
>> and next, simply remove emerging-all.rules file and restart suricata: no
>> alert!
>>
>> If anyone check/confirm this: Im open a new ticket on redmine.
>>
>> Regards
>> Rmkml
More information about the Oisf-devel
mailing list