[Oisf-devel] request enhance Suricata v1.3.0beta1 for file_data and negate http_header

rmkml rmkml at yahoo.fr
Fri Apr 6 08:47:52 UTC 2012 

Thx you Victor for reply,
but it can break "api" with snort ?
because snort allow file_data:.... and after http_header or other...

Im added distance:0 because it's more easy to understand sig: search 
content after distance since file_data...
Regards
Rmkml


On Fri, 6 Apr 2012, Victor Julien wrote:

> On 04/05/2012 11:10 PM, eileen donlon wrote:
>> Hi,
>>
>> Believe this rule will work if you put the http_header content first:
>
> Yes, this is because all contents after "file_data" are considered to be
> part of file_data, so the http_header doesn't work with them.
>
>> alert tcp any 80 -> any any (msg:"negate content http_header";
>> flow:to_client,established; content:!"def"; http_header; file_data;
>> content:"abc"; distance:0; classtype:web-application-activity;
>> sid:92891232; rev:1;)
>>
>> Don't think distance:0 does anything in this rule so it could be removed.
>
> Thats correct.
>
> Cheers,
> Victor
>
>> Regards,
>> Eileen
>>
>> On Thu, Apr 5, 2012 at 5:34 PM, rmkml <rmkml at yahoo.fr
>> <mailto:rmkml at yahoo.fr>> wrote:
>>
>>     Hi,
>>
>>     Anyone check why this sig not work please?
>>     I request support it because first content are "linked" with file_data,
>>     and second negated content are linke with http_header:
>>
>>     alert tcp any 80 -> any any (msg:"negate content http_header";
>>     flow:to_client,established; file_data; content:"abc"; distance:0;
>>     content:!"def"; http_header; classtype:web-application-activity;
>>     sid:92891232; rev:1;)
>>
>>     Suricata error:
>>     5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>>     SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside
>>     the rule without a content context.
>>     Please use a "content" keyword before using the "http_header" keyword
>>     5/4/2012 -- 23:25:21 - <Error> - [ERRCODE:
>>     SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>>     any 80 -> any any (msg:"negate content
>>     http_header"; flow:to_client,established; file_data; content:"abc";
>>     distance:0; content:!"def"; http_header;
>>     classtype:web-application-activity; sid:92891232; rev:1;)" from file
>>     test.rules at line 1
>>
>>     If anyone confirm, Im open a new redmine ticket.
>>
>>     Regards
>>     Rmkml
>>     _______________________________________________
>>     Oisf-devel mailing list
>>     Oisf-devel at openinfosecfoundation.org
>>     <mailto:Oisf-devel at openinfosecfoundation.org>
>>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>

More information about the Oisf-devel mailing list