[Oisf-devel] Suricata FN on http_header or http_user_agent
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Jul 17 16:06:47 UTC 2012
Hi rmkml,
Can you open a bug on this?
On Tue, Jul 17, 2012 at 9:28 PM, rmkml at yahoo.fr <rmkml at yahoo.fr> wrote:
> Hi,
> Anyone confirm my strange results please? If yes Im open a new redmine
> ticket.
>
> ok start a wget http request :
> wget --user-agent="Mozilla\";" http://x.y.com
> (results are User-Agent: Mozilla"; )
>
> 1) ok create a very simple sig, Suricata fire:
> ... flow:to_server,established; content:"\"\;"; ...
>
>
> 2) another sig but Suricata not fire, why?
> ... flow:to_server,established; content:"\"\;"; http_header; ...
>
>
> 3) another sig but Suricata not fire, why?
> ... flow:to_server,established; content:"\"\;"; http_user_agent; ...
>
> Same pb when replace " to |22|
> or ; to |3b|.
>
> Of course Snort fire every times.
> Regards
> Rmkml
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
Anoop Saldanha
More information about the Oisf-devel
mailing list