[Oisf-users] http signature bug in suricata 4.0.0?
Michael Stone
mstone at mathom.us
Wed Aug 16 20:37:04 UTC 2017
With the introduction of the new http keywords it seems like something's
gone weird with signature processing for http streams. Given these two
signatures:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test sig 1"; content:"FOO"; http_method; content:"/footasticfoo"; http_uri; content:"Content-Length: 0"; http_header; sid:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Test sig 2"; content:"FOO"; http_method; content:"/footasticfoo"; http_uri; http_content_len; content:"0"; sid:2;)
and a sufficiently busy sensor, the first signature fires on some, but
not all, unrelated traffic (specifically, traffic which does have
"Content-Length: 0" but which does not use the FOO method or have
/footasticfoo in the URI) while the second signature behaves as
expected. Unfortunately, I haven't been able to reproduce this on either
a lightly loaded test sensor or from pcap.
Can anyone else reproduce this?
Mike Stone
More information about the Oisf-users
mailing list