[Oisf-devel] http_raw_uri and relative offset request
Victor Julien
victor at inliniac.net
Mon Jan 16 13:19:40 UTC 2012
On 01/13/2012 11:15 PM, rmkml wrote:
> Hi,
> Im test suricata v1.2rc1 and I have a request please (if anyone confirm of course)
> ok, create a sig with `content:"/test"; nocase; http_raw_uri; pcre:"/^abc/Rsmi";`
>
> suricata send error:
> [13087] 13/1/2012 -- 22:53:20 - (detect-pcre.c:1193) <Error> (DetectPcreSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent or pcre option
>
> but uri work with snort: GET /testabc HTTP/1.0...
> `http_raw_uri` are little bit special because permit relative offset...
> (http_raw_uri are like content but pattern searching only on http uri)
So what buffer would the pcre inspect in this case? In Suricata the raw
URI has it's own buffer, so it's not possible to match across the
boundary of this buffer.
I think the signature is essentially broken. Either don't use
http_raw_uri but a plain content instead, or use pcre with the I modifier.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list