Snort mailing list archives
Re: FN with http_header and pcreH followed by same http_header+distance0...
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 24 Jul 2012 21:14:18 -0400
Rmkml, This is almost exactly the same as the bug you reported previously. We have a bug open on it and I will follow up with a result. Thank you -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager On Jul 24, 2012, at 5:35 PM, Rm Kml <rmkml () yahoo fr> wrote:
Hi, Someone check this on snort v2.9.3(.0) please? ok first test, snort not fire = FN alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; rev:1;) -> but why ? ok second test, snort fire = good alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;) ok third test, snort fire = good alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;) test with simple wget command: wget http://www.kernel.org/abc.html http request: GET /abc.html HTTP/1.0 User-Agent: Wget/1.12 (linux-gnu) ... Joigned wget example pcap file. Please Credits to rmkml. Suricata engine [OISF] fire every times, thx you. Regards Rmkml <testsnortfn.pcap> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FN with http_header and pcreH followed by same http_header+distance0... Rm Kml (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Graham Bignell (Jul 24)
- Re: FN with http_header and pcreH followed by same http_header+distance0... Joel Esler (Jul 24)