[Oisf-devel] another FP with pcre I option on suricata v121
rmkml
rmkml at yahoo.fr
Sun Jan 22 12:57:01 UTC 2012
Hi,
I have a FP with this simply signature and joigned pcap file:
alert tcp any any -> any 80 (msg:"suricata pcre I test"; flow:to_server,established; content:".php/"; nocase; http_raw_uri;
pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351; rev:1; )
If I remove "$" on pcre, suricata fire and it's true.
If I remember correctly, "$" are http_raw_uri ending.
I have tested with suricata rule like "alert http any..." but FP again.
Anyone confirm please? if yes Im open a new ticket on redmine.
Of couse, snort not fire.
Regards
Rmkml
PS: simulated http with wget "http://ibiblio.org/abc.php/a"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_http_php_suricata.pcap
Type: application/octet-stream
Size: 7090 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120122/b70948fa/attachment.obj>
More information about the Oisf-devel
mailing list