[Oisf-devel] request feature: urilen <> inclusive please
Victor Julien
victor at inliniac.net
Sat Mar 14 09:45:35 UTC 2015
On 03/13/2015 11:59 PM, rmkml wrote:
> Hi,
>
> First Thx Suricata team and all,
>
> I'm recently tested urilen on snort and urilen <> is inclusive but not
> on Suricata tested.
>
> examples URI length is 6 (wget www.google.com/23456, joigned pcap file)
>
>
> 1->urilen:5<>7, suricata and snort fire
>
> 2->urilen:5<>6, suricata not fire but snort fire
> (because snort use like 5<>=6)
> # no error on suricata output
>
> 3->urilen:6<>7, suricata not fire but snort fire
> (because snort use like 6=<>7)
> # no error on suricata output
>
> Tested with these sigs:
> alert tcp any any -> any 80 (msg:"urilen test 1";
> flow:to_server,established; urilen:5<>7;
> classtype:web-application-attack; sid:1; rev:1;)
> alert tcp any any -> any 80 (msg:"urilen test 2";
> flow:to_server,established; urilen:5<>6;
> classtype:web-application-attack; sid:2; rev:1;)
> alert tcp any any -> any 80 (msg:"urilen test 3";
> flow:to_server,established; urilen:6<>7;
> classtype:web-application-attack; sid:3; rev:1;)
>
> Could you check and if you confirm I'm open a new redmine ticket.
Good catch Rmkml, please open a ticket.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list