[Oisf-devel] Suricata http request double encoded null byte FN

Anoop Saldanha anoopsaldanha at gmail.com
Sat May 19 07:35:15 UTC 2012


On Sat, May 19, 2012 at 6:07 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> ok Im continue my Suricata testing, Someone check this please? (if yes/confirm, Im open a new ticket)
>
> ok tested with this cmd:
>  wget "http://192.168.1.1/a%2500b.c"
>
>
> next, use only two Suricata signatures:
>
> fire:
> alert tcp any any -> any 80 (msg:"null byte http encoded 1"; flow:to_server,established; content:"%2500"; classtype:attempted-recon; sid:21; rev:1;)
>
> not fire:
> alert tcp any any -> any 80 (msg:"null byte http encoded 2"; flow:to_server,established; content:"|00|"; http_uri; classtype:attempted-recon; sid:22; rev:1;)
>
>
> Suricata not fire if detect double encoded null byte with http_uri, of course snort always fire.
>
> Tested on suricata git at 16 May 2012. same results with v1.2.1.
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

looks like a normalization problem.  You can open a bug on this.  Thanks rmkml

-- 
Anoop Saldanha



More information about the Oisf-devel mailing list