[Snort-devel] FN with http_header and pcreH followed by same http_header+distance0...

Rm Kml rmkml at ...2519...
Tue Jul 24 17:35:20 EDT 2012


Hi,

Someone check this on snort v2.9.3(.0) please?

ok first test, snort not fire = FN
 alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; rev:1;)
-> but why ?

ok second test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;)

ok third test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;)

test with simple wget command:
 wget http://www.kernel.org/abc.html
http request:
 GET /abc.html HTTP/1.0
 User-Agent: Wget/1.12 (linux-gnu)
 ...

Joigned wget example pcap file.

Please Credits to rmkml.
Suricata engine [OISF] fire every times, thx you.
Regards
Rmkml 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120724/9e89e4ef/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testsnortfn.pcap
Type: application/octet-stream
Size: 1712 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120724/9e89e4ef/attachment.obj>


More information about the Snort-devel mailing list