[Oisf-devel] FN on http POST query suricata v1.2.1?
rmkml
rmkml at yahoo.fr
Wed Apr 18 23:58:49 UTC 2012
Hi,
Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found strange results with these sigs not fire:
alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; isdataat:1; classtype:web-application-activity; sid:90011667; rev:1;)
alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; pcre:"/^[^\n]{5}/P"; classtype:web-application-activity; sid:90011668; rev:1;)
alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; content:"galid"; nocase; http_client_body; classtype:web-application-activity; sid:90011669; rev:1;)
Tested with these two http commands:
wget http://192.168.1.1/abcd.php --post-data="galid=abcdzad&dzadzza=dzadzdza"
curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"
Joigned my two pcap for replaying.
No suricata error.
Disabled cksum validation.
Im sure Im totaly wrong but if someone check/confirm please ? if ok Im open a new redmine ticket.
Of course, snort always fire.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_http_post_isdataat_suricataFNcurl.pcap
Type: application/octet-stream
Size: 1521 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/4fea7263/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_http_post_isdataat_suricataFNwget.pcap
Type: application/octet-stream
Size: 1526 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120419/4fea7263/attachment-0001.obj>
More information about the Oisf-devel
mailing list