[Oisf-users] How to alert for a single TCP packet?

David Wharton oisf at davidwharton.us
Tue Nov 26 03:35:17 UTC 2019

For the http_uri buffer, normalization includes URI-decoding of the 
data, reducing directory traversal sequences (e.g. "/foo/bar/../baz" -> 
"/foo/baz"), and, depending the Suricata version and config, decoding 
"+" (0x2B) to " " (0x20).

As for the alert ... are you sure you are sending the right pcap? And 
are you sure the rule in question is the one alerting?  What does the 
pcap snippet from the alert show?  What about the alert-debug log?


On 11/25/19 1:47 PM, Lucas wrote:
> Hi David, thank you. Yes... I also got confused about the "../" 
> string, i don't find it in the packet but the rule matches and alerts. 
> It was also a question i'm about to ask you guys. What do you mean by 
> http_uri be normalized?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list