Bug #130
closedContent + nocase issue.
Description
I have a small pb with a signature/rule:
-this rule not detect/work: (WWW uppercase and space)
alert tcp any 80 -> any any (msg:"no1"; flow:to_client,established; content:"WWW-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000000; rev:1;)
-but small variant detect/work: (mix case and space)
alert tcp any 80 -> any any (msg:"ok1"; flow:to_client,established; content:"Www-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000001; rev:1;)
-another small variant detect/work: (WWW uppercase without space)
alert tcp any 80 -> any any (msg:"ok2"; flow:to_client,established; content:"WWW-Authenticate\:"; nocase; classtype:web-application-activity; sid:9000002; rev:1;)
Joigned pcap with good cksum (it's a live/real trafic, not fuzzing).
Tested without any another signatures/rules + output is fast option + pattern-matcher default b2g + host-os-policy are default or linux have same pb + libhtp use default-config but apache server-config have same pb.
Files
Updated by Pablo Rincon over 14 years ago
- File 0001-Bug-130-detect-nocase-was-not-recreating-the-BmCtx-w.patch 0001-Bug-130-detect-nocase-was-not-recreating-the-BmCtx-w.patch added
- Assignee changed from OISF Dev to Pablo Rincon
- % Done changed from 0 to 80
detect-nocase was not recreating the BmCtx with nocase chars, so it was not working with patterns of capital letters as expected. Attached a patch to fix the issue.
Updated by Victor Julien over 14 years ago
- Status changed from Assigned to Closed
- % Done changed from 80 to 100
Applied, thanks Pablo.