[Oisf-devel] FP with Suricata v1.4.6 and negated http_raw_uri

Anoop Saldanha anoopsaldanha at gmail.com
Mon Nov 11 14:17:08 UTC 2013


On Mon, Nov 11, 2013 at 2:46 PM, Victor Julien <victor at inliniac.net> wrote:
> On 11/09/2013 01:49 AM, rmkml wrote:
>> Hi,
>>
>> First, thx you for very good IPS/IDS Suricata engine !
>>
>> ok I'm continu my testing and found a new FP,
>>
>> if anyone confirm, I'm open a new redmine ticket.
>>
>> Joigned pcap file generated with:
>> (curl http v1.1 pipelining)
>>
>> curl -v
>> http://www.debian-fr.org/styles/debianfr2/theme/images/icon_mini_faq.gif
>> http://www.debian-fr.org/download/file.php?avatar=7.png
>>
>> Suricata v1.4.6 fire with only this sig: (negated http_raw_uri)
>>
>> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
>> flow:to_server,established; content:".php"; nocase; http_uri;
>> content:!"="; http_raw_uri; classtype:attempted-admin; sid:1; rev:1; )
>>
>> 11/09/2013-01:33:52.103607  [**] [1:1:1] test negated http_raw_uri [**]
>> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
>> {TCP} 192.168.1.2:46553 -> 91.121.50.62:80
>>
>> Of course snort not fire.
>>
>>
>> Suricata v1.4.6 not fire with negated http_uri:
>>
>> alert tcp any any -> any 80 (msg:"test negated http_raw_uri";
>> flow:to_server,established; content:".php"; nocase; http_uri;
>> content:!"="; http_uri; classtype:attempted-admin; sid:2; rev:1; )
>
> This looks like a consequence of how we handle transactions in 1.4. In
> 2.0dev this is fixed, there all HTTP inspection is strictly done per TX.
> Feel free to open a ticket, but the fix will be 2.0.

Just realized that I replied twice and both of them were not to the
list :) (gmail *@#@(%@)

My original reply to rmkml -

-----
This is rather a feature deficiency in suricata < 2.0.  Suricata 2.0+
has solved this issue -
http://www.poona.me/2013/05/suricata-transaction-engine-re-designed.html

To be very correct, even the first sig which didn't alert, should have
FP'ed, but it doesn't because both keywords are of the same type and
without going into the details, we don't FP like we do when we mix
different keywords types.

We can't provide this support in 1.4.x, but 2.0 it's solved.
-----

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-devel mailing list