[Oisf-devel] Suricata http request double encoded null byte FN
rmkml
rmkml at yahoo.fr
Sat May 19 00:37:24 UTC 2012
Hi,
ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)
ok tested with this cmd:
wget "http://192.168.1.1/a%2500b.c"
next, use only two Suricata signatures:
fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
not fire:
alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
Tested on suricata git at 16 May 2012. same results with v1.2.1.
Regards
Rmkml
http://twitter.com/rmkml
More information about the Oisf-devel
mailing list