[Oisf-users] http signature bug in suricata 4.0.0?

Michael Stone mstone at mathom.us
Wed Aug 16 20:37:04 UTC 2017

With the introduction of the new http keywords it seems like something's 
gone weird with signature processing for http streams. Given these two 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test sig 1"; content:"FOO"; http_method; content:"/footasticfoo"; http_uri; content:"Content-Length: 0"; http_header; sid:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test sig 2"; content:"FOO"; http_method; content:"/footasticfoo"; http_uri; http_content_len; content:"0"; sid:2;)

and a sufficiently busy sensor, the first signature fires on some, but 
not all, unrelated traffic (specifically, traffic which does have 
"Content-Length: 0" but which does not use the FOO method or have 
/footasticfoo in the URI) while the second signature behaves as 
expected. Unfortunately, I haven't been able to reproduce this on either 
a lightly loaded test sensor or from pcap.

Can anyone else reproduce this?

Mike Stone

More information about the Oisf-users mailing list