[Oisf-users] Suricata & http_header
Victor Julien
lists at inliniac.net
Fri Oct 28 12:53:09 UTC 2011
Thanks to our QA ace Peter Manev I found an interesting peculiarity in
how we deal with http_header in Suricata: the header normalization
removes any trailing whitespace or tab characters from a header line. So
a header like:
User-Agent: doshowmeanad \r\n
becomes
User-Agent: doshowmeanad\r\n
This causes a false negative with sid 2008142 as it matches on:
content:"User-Agent|3a| doshowmeanad "; http_header;
Solution would be to either use http_raw_header or remove the trailing
whitespace from the content.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list