[Snort-devel] FN with http_header and pcreH followed by same http_header+distance0...

Joel Esler jesler at ...402...
Tue Jul 24 21:14:18 EDT 2012


Rmkml,

This is almost exactly the same as the bug you reported previously. We have a bug open on it and I will follow up with a result. Thank you 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jul 24, 2012, at 5:35 PM, Rm Kml <rmkml at ...2519...> wrote:

> Hi,
> Someone check this on snort v2.9.3(.0) please?
> 
> ok first test, snort not fire = FN
>  alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; rev:1;)
> -> but why ?
> 
> ok second test, snort fire = good
>  alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;)
> 
> ok third test, snort fire = good
>  alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;)
> 
> test with simple wget command:
>  wget http://www.kernel.org/abc.html
> http request:
>  GET /abc.html HTTP/1.0
>  User-Agent: Wget/1.12 (linux-gnu)
>  ...
> 
> Joigned wget example pcap file.
> 
> Please Credits to rmkml.
> Suricata engine [OISF] fire every times, thx you.
> Regards
> Rmkml
> 
> <testsnortfn.pcap>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120724/d0d78e31/attachment.html>


More information about the Snort-devel mailing list