[Oisf-devel] request feature: urilen <> inclusive please
rmkml
rmkml at yahoo.fr
Fri Mar 13 22:59:33 UTC 2015
Hi,
First Thx Suricata team and all,
I'm recently tested urilen on snort and urilen <> is inclusive but not on Suricata tested.
examples URI length is 6 (wget www.google.com/23456, joigned pcap file)
1->urilen:5<>7, suricata and snort fire
2->urilen:5<>6, suricata not fire but snort fire
(because snort use like 5<>=6)
# no error on suricata output
3->urilen:6<>7, suricata not fire but snort fire
(because snort use like 6=<>7)
# no error on suricata output
Tested with these sigs:
alert tcp any any -> any 80 (msg:"urilen test 1"; flow:to_server,established; urilen:5<>7; classtype:web-application-attack; sid:1; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 2"; flow:to_server,established; urilen:5<>6; classtype:web-application-attack; sid:2; rev:1;)
alert tcp any any -> any 80 (msg:"urilen test 3"; flow:to_server,established; urilen:6<>7; classtype:web-application-attack; sid:3; rev:1;)
Could you check and if you confirm I'm open a new redmine ticket.
Regards
@Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata_urilen.pcap
Type: application/vnd.tcpdump.pcap
Size: 2647 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150313/0556102c/attachment.bin>
More information about the Oisf-devel
mailing list