<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>and Snort not fire (confirm bug) If you remove http_client_body/P options like this:<div><span class="Apple-style-span" style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; "><pre> alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0; pcre:"/eee=/"; content:"ccc="; distance:0; classtype:attempted-admin; sid:8890829; rev:1; )
</pre><pre>Regards</pre><pre>Rmkml</pre><pre><br></pre></span></div></body></html><br><br>

-------- Original message --------
Subject: FP with pcre P and http_client_body + distance 0 ? 
From: Rm Kml <rmkml@...2519...> 
To: Snort-devel@lists.sourceforge.net 
CC: rmkml@...2519... 

<br><br><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><pre>Hi,

First, Congratulations for last Snort v2.9.3!

Ok maybe you have a FP with rule:
 alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/eee=/P"; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin; sid:8890829; rev:1; )
-> Snort fire! (but it's not true)


Another rule for checking and snort not fire and it's true:
 alert tcp any any -> any 80 (msg:"test http_client_body wrong order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; content:"eee="; distance:0; http_client_body; content:"ccc="; distance:0; http_client_body; classtype:attempted-admin;
sid:8890828; rev:1; )

Another testing for checking and snort fire and it's true:
 alert tcp any any -> any 80 (msg:"test http_client_body right order"; flow:to_server,established; content:"aaa="; depth:4; offset:0;
http_client_body; pcre:"/ccc=/P"; content:"eee="; distance:0; http_client_body; classtype:attempted-admin; sid:8890830; rev:1; )

Tested with this wget cmd line:
 wget --post-data="aaa=bbb&ccc=ddd&eee=fff" http://www.kernel.org/abc.html

Please Credits to rmkml.
Thx Suricata engine [OISF] for confirmed this.
Regards
Rmkml

http://twitter.com/rmkml
<br></pre></div> </body>