[Oisf-devel] FP with Suricata v1.4.6 and negated http_raw_uri

Victor Julien victor at inliniac.net
Mon Nov 11 09:16:05 UTC 2013


On 11/09/2013 01:49 AM, rmkml wrote:
> Hi,
> 
> First, thx you for very good IPS/IDS Suricata engine !
> 
> ok I'm continu my testing and found a new FP,
> 
> if anyone confirm, I'm open a new redmine ticket.
> 
> Joigned pcap file generated with:
> (curl http v1.1 pipelining)
> 
> curl -v
> http://www.debian-fr.org/styles/debianfr2/theme/images/icon_mini_faq.gif
> http://www.debian-fr.org/download/file.php?avatar=7.png
> 
> Suricata v1.4.6 fire with only this sig: (negated http_raw_uri)
> 
> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
> flow:to_server,established; content:".php"; nocase; http_uri;
> content:!"="; http_raw_uri; classtype:attempted-admin; sid:1; rev:1; )
> 
> 11/09/2013-01:33:52.103607  [**] [1:1:1] test negated http_raw_uri [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {TCP} 192.168.1.2:46553 -> 91.121.50.62:80
> 
> Of course snort not fire.
> 
> 
> Suricata v1.4.6 not fire with negated http_uri:
> 
> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
> flow:to_server,established; content:".php"; nocase; http_uri;
> content:!"="; http_uri; classtype:attempted-admin; sid:2; rev:1; )

This looks like a consequence of how we handle transactions in 1.4. In
2.0dev this is fixed, there all HTTP inspection is strictly done per TX.
Feel free to open a ticket, but the fix will be 2.0.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list