[Oisf-devel] another request Suricata v1.3.0beta1 for dsize and uri*
rmkml
rmkml at yahoo.fr
Thu Apr 5 21:54:14 UTC 2012
Hi,
Anyone check why another this sig not work please?
I another request support it because dsize and http_uri/uricontent like this:
alert tcp any any -> any 80 (msg:"dsize and flow"; flow:to_server,established; dsize:>1; content:"/abc"; http_uri; classtype:web-application-activity; sid:1820948; rev:1;)
Suricata error:
5/4/2012 -- 23:48:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_* keywords).
5/4/2012 -- 23:48:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any 80 (msg:"dsize and
flow"; flow:to_server,established; dsize:>1; content:"/abc"; http_uri; classtype:web-application-activity; sid:1820948; rev:1;)" from file
test.rules at line 3
If anyone confirm, Im open a new redmine ticket.
One sig exist on Emerging threats generate an error of course:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000;
content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body;
reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:6;)
Regards
Rmkml
More information about the Oisf-devel
mailing list