[Oisf-devel] Suricata http request double encoded null byte FN

rmkml rmkml at yahoo.fr
Sat May 19 00:37:24 UTC 2012


Hi,

ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)

ok tested with this cmd:
  wget "http://192.168.1.1/a%2500b.c"


next, use only two Suricata signatures:

fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)

not fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)


Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.

Tested on suricata git at 16 May 2012. same results with v1.2.1.

Regards
Rmkml

http://twitter.com/rmkml




More information about the Oisf-devel mailing list