[Oisf-devel] http_raw_uri and relative offset request
eileen donlon
emdonlo at gmail.com
Sat Jan 14 00:00:47 UTC 2012
Here is a patch against the current git master for review. Lightly tested;
pcre unittests pass.
Regards,
Eileen
On Fri, Jan 13, 2012 at 4:53 PM, eileen donlon <emdonlo at gmail.com> wrote:
> Hi,
>
> Sorry, it still doesn't work. The error doesn't occur regardless of the
> nocase/http_raw_uri order if there is no pcre. My apologies.
>
> Thanks,
> Eileen
>
>
> On Fri, Jan 13, 2012 at 5:46 PM, rmkml <rmkml at yahoo.fr> wrote:
>
>> Thx you eileen,
>> can you send a modified sig work please?
>> Regards
>> Rmkml
>>
>>
>>
>> On Fri, 13 Jan 2012, eileen donlon wrote:
>>
>> Hi,
>>>
>>> Confirmed. Can you please put in a ticket?
>>>
>>> As a workaround, it seems to load ok if you put the http_raw_uri before
>>> the nocase.
>>>
>>> Thanks,
>>> Eileen
>>>
>>> On Fri, Jan 13, 2012 at 5:15 PM, rmkml <rmkml at yahoo.fr> wrote:
>>> Hi,
>>> Im test suricata v1.2rc1 and I have a request please (if anyone
>>> confirm of course)
>>> ok, create a sig with `content:"/test"; nocase; http_raw_uri;
>>> pcre:"/^abc/Rsmi";`
>>>
>>> suricata send error:
>>> [13087] 13/1/2012 -- 22:53:20 - (detect-pcre.c:1193) <Error>
>>> (DetectPcreSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No preceding
>>> content or uricontent or pcre option
>>>
>>> but uri work with snort: GET /testabc HTTP/1.0...
>>> `http_raw_uri` are little bit special because permit relative
>>> offset...
>>> (http_raw_uri are like content but pattern searching only on http
>>> uri)
>>>
>>> if Anyone confirm, Im create a new ticket...
>>> Regards
>>> Rmkml
>>> ______________________________**_________________
>>> Oisf-devel mailing list
>>> Oisf-devel@**openinfosecfoundation.org<Oisf-devel at openinfosecfoundation.org>
>>> http://lists.**openinfosecfoundation.org/**
>>> mailman/listinfo/oisf-devel<http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120113/4f37270a/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fixed-sig-rejected-for-http-option-preceeding-pcre.patch
Type: text/x-patch
Size: 948 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120113/4f37270a/attachment.bin>
More information about the Oisf-devel
mailing list