<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><pre>Hi,

First, Congratulations for last Snort v2.9.3!

Ok maybe you have a FP with rule:
 alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/eee=/P"; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin; sid:8890829; rev:1; )
-> Snort fire! (but it's not true)


Another rule for checking and snort not fire and it's true:
 alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; content:"eee="; distance:0; http_client_body; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin;
sid:8890828; rev:1; )

Another testing for checking and snort fire and it's true:
 alert tcp any any -> any 80 (msg:"test http_client_body right order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/ccc=/P"; content:"eee="; distance:0; http_client_body; classtype:attempted-admin; sid:8890830; rev:1; )

Tested with this wget cmd line:
 wget --post-data="aaa=bbb&ccc=ddd&eee=fff" http://www.kernel.org/abc.html

Please Credits to rmkml.
Thx Suricata engine [OISF] for confirmed this.
Regards
Rmkml

http://twitter.com/rmkml
<br></pre></div></body></html>