[Oisf-devel] another FP with pcre I option on suricata v121
Victor Julien
victor at inliniac.net
Mon Jan 30 15:34:43 UTC 2012
On 01/22/2012 01:57 PM, rmkml wrote:
> Hi,
> I have a FP with this simply signature and joigned pcap file:
> alert tcp any any -> any 80 (msg:"suricata pcre I test";
> flow:to_server,established; content:".php/"; nocase; http_raw_uri;
> pcre:"/^[^\n]*\.php\/$/Ii"; classtype:attempted-admin; sid:9410351;
> rev:1; )
>
> If I remove "$" on pcre, suricata fire and it's true.
> If I remember correctly, "$" are http_raw_uri ending.
> I have tested with suricata rule like "alert http any..." but FP again.
> Anyone confirm please? if yes Im open a new ticket on redmine.
Confirmed, please open a ticket. I'm getting 5 alerts on this pcap,
which is strange as well as there is only a single uri.
Thanks Rmkml!
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list