[Oisf-devel] FP with Suricata v1.4.6 and negated http_raw_uri
rmkml
rmkml at yahoo.fr
Sat Nov 9 00:49:07 UTC 2013
Hi,
First, thx you for very good IPS/IDS Suricata engine !
ok I'm continu my testing and found a new FP,
if anyone confirm, I'm open a new redmine ticket.
Joigned pcap file generated with:
(curl http v1.1 pipelining)
curl -v http://www.debian-fr.org/styles/debianfr2/theme/images/icon_mini_faq.gif http://www.debian-fr.org/download/file.php?avatar=7.png
Suricata v1.4.6 fire with only this sig: (negated http_raw_uri)
alert tcp any any -> any 80 (msg:"test negated http_raw_uri"; flow:to_server,established; content:".php"; nocase; http_uri; content:!"="; http_raw_uri; classtype:attempted-admin; sid:1; rev:1; )
11/09/2013-01:33:52.103607 [**] [1:1:1] test negated http_raw_uri [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.1.2:46553 -> 91.121.50.62:80
Of course snort not fire.
Suricata v1.4.6 not fire with negated http_uri:
alert tcp any any -> any 80 (msg:"test negated http_raw_uri"; flow:to_server,established; content:".php"; nocase; http_uri; content:!"="; http_uri; classtype:attempted-admin; sid:2; rev:1; )
Discovered during my new project http://etplc.org
Regards
@Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafpnegatedhttprawurihttppipelining.pcap
Type: application/vnd.tcpdump.pcap
Size: 6418 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131109/ec71a271/attachment.bin>
More information about the Oisf-devel
mailing list