[Snort-devel] RE : FP with pcre P and http_client_body + distance 0 ?

Joel Esler jesler at ...402...
Sun Jul 22 08:16:26 EDT 2012


Remove distance:0 and try again. 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jul 22, 2012, at 3:46 AM, "rmkml at ...2519..." <rmkml at ...2519...> wrote:

> and Snort not fire (confirm bug) If you remove http_client_body/P options like this:
>  alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0; pcre:"/eee=/"; content:"ccc="; distance:0; classtype:attempted-admin; sid:8890829; rev:1; )
> Regards
> Rmkml
> 
> 
> 
> -------- Original message -------- Subject: FP with pcre P and http_client_body + distance 0 ? From: Rm Kml To: Snort-devel at lists.sourceforge.net CC: rmkml at ...2519... 
> 
> Hi,
> 
> First, Congratulations for last Snort v2.9.3!
> 
> Ok maybe you have a FP with rule:
>  alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
> http_client_body; pcre:"/eee=/P"; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin; sid:8890829; rev:1; )
> -> Snort fire! (but it's not true)
> 
> 
> Another rule for checking and snort not fire and it's true:
>  alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
> http_client_body; content:"eee="; distance:0; http_client_body; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin;
> sid:8890828; rev:1; )
> 
> Another testing for checking and snort fire and it's true:
>  alert tcp any any -> any 80 (msg:"test http_client_body right order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
> http_client_body; pcre:"/ccc=/P"; content:"eee="; distance:0; http_client_body; classtype:attempted-admin; sid:8890830; rev:1; )
> 
> Tested with this wget cmd line:
>  wget --post-data="aaa=bbb&ccc=ddd&eee=fff" http://www.kernel.org/abc.html
> 
> Please Credits to rmkml.
> Thx Suricata engine [OISF] for confirmed this.
> Regards
> Rmkml
> 
> http://twitter.com/rmkml
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120722/a2452dd4/attachment.html>


More information about the Snort-devel mailing list