[Oisf-users] How to alert for a single TCP packet?
David Wharton
oisf at davidwharton.us
Tue Nov 26 03:35:17 UTC 2019
For the http_uri buffer, normalization includes URI-decoding of the
data, reducing directory traversal sequences (e.g. "/foo/bar/../baz" ->
"/foo/baz"), and, depending the Suricata version and config, decoding
"+" (0x2B) to " " (0x20).
As for the alert ... are you sure you are sending the right pcap? And
are you sure the rule in question is the one alerting? What does the
pcap snippet from the alert show? What about the alert-debug log?
-David
On 11/25/19 1:47 PM, Lucas wrote:
> Hi David, thank you. Yes... I also got confused about the "../"
> string, i don't find it in the packet but the rule matches and alerts.
> It was also a question i'm about to ask you guys. What do you mean by
> http_uri be normalized?
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list