Snort mailing list archives

Re: FN with http_header and pcreH followed by same http_header+distance0...

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 24 Jul 2012 21:14:18 -0400

Rmkml,

This is almost exactly the same as the bug you reported previously. We have a bug open on it and I will follow up with 
a result. Thank you 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Jul 24, 2012, at 5:35 PM, Rm Kml <rmkml () yahoo fr> wrote:

Hi,
Someone check this on snort v2.9.3(.0) please?

ok first test, snort not fire = FN
 alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; 
pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; 
rev:1;)
-> but why ?

ok second test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; 
pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;)

ok third test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; 
nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;)

test with simple wget command:
 wget http://www.kernel.org/abc.html
http request:
 GET /abc.html HTTP/1.0
 User-Agent: Wget/1.12 (linux-gnu)
 ...

Joigned wget example pcap file.

Please Credits to rmkml.
Suricata engine [OISF] fire every times, thx you.
Regards
Rmkml

<testsnortfn.pcap>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

FN with http_header and pcreH followed by same http_header+distance0... Rm Kml (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Graham Bignell (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Joel Esler (Jul 24)