[Snort-devel] FP with pcre P and http_client_body + distance 0 ?

Rm Kml rmkml at ...2519...
Sat Jul 21 12:34:27 EDT 2012


Hi, First, Congratulations for last Snort v2.9.3! Ok maybe you have a FP with rule: alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/eee=/P"; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin; sid:8890829; rev:1; )
-> Snort fire! (but it's not true) Another rule for checking and snort not fire and it's true: alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; content:"eee="; distance:0; http_client_body; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin;
sid:8890828; rev:1; ) Another testing for checking and snort fire and it's true: alert tcp any any -> any 80 (msg:"test http_client_body right order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/ccc=/P"; content:"eee="; distance:0; http_client_body; classtype:attempted-admin; sid:8890830; rev:1; ) Tested with this wget cmd line: wget --post-data="aaa=bbb&ccc=ddd&eee=fff" http://www.kernel.org/abc.html Please Credits to rmkml.
Thx Suricata engine [OISF] for confirmed this.
Regards
Rmkml http://twitter.com/rmkml 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120721/2cfe6113/attachment.html>


More information about the Snort-devel mailing list