[Oisf-devel] http_raw_uri and relative offset request
eileen donlon
emdonlo at gmail.com
Fri Jan 13 21:41:58 UTC 2012
Hi,
Confirmed. Can you please put in a ticket?
As a workaround, it seems to load ok if you put the http_raw_uri before the
nocase.
Thanks,
Eileen
On Fri, Jan 13, 2012 at 5:15 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Im test suricata v1.2rc1 and I have a request please (if anyone confirm of
> course)
> ok, create a sig with `content:"/test"; nocase; http_raw_uri;
> pcre:"/^abc/Rsmi";`
>
> suricata send error:
> [13087] 13/1/2012 -- 22:53:20 - (detect-pcre.c:1193) <Error>
> (DetectPcreSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No preceding
> content or uricontent or pcre option
>
> but uri work with snort: GET /testabc HTTP/1.0...
> `http_raw_uri` are little bit special because permit relative offset...
> (http_raw_uri are like content but pattern searching only on http uri)
>
> if Anyone confirm, Im create a new ticket...
> Regards
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120113/34f332b9/attachment-0002.html>
More information about the Oisf-devel
mailing list