[Oisf-devel] http_cookie and depth/offset question please
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Jul 11 14:14:49 UTC 2012
On Wed, Jul 11, 2012 at 6:24 PM, rmkml at yahoo.fr <rmkml at yahoo.fr> wrote:
> Hi,
> Im test this rule work correctly:
> alert any any -> any 80 (msg:"test1"; flow:to_server,established;
> content:"hear"; within:4; distance:0; http_cookie; ...
>
> my network traffic contains:
> GET ....
> Cookie: hear...
>
> ok
>
> If I change to within:3
> Suricata stop with error: good!
>
>
> ok I move to depth/offset fire:
> alert any any -> any 80 (msg:"test3"; flow:to_server,established;
> content:"hear"; depth:4; offset:0; http_cookie; ...
>
> another test fire but no error, why? : (reduced depth value)
> alert any any -> any 80 (msg:"test4"; flow:to_server,established;
> content:"hear"; depth:3; offset:0; http_cookie; ...
>
> Someone check/replay please? I open a new redmine ticket If you need.
> Regards
> Rmkml
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
We update the depth to content_length, if depth < content_length.
Probably a bug, yeah.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list