Project

General

Profile

Actions
Copy link

Bug #130

closed

Content + nocase issue.

Added by Victor Julien over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pablo Rincon
Target version:
0.9.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

I have a small pb with a signature/rule:
-this rule not detect/work: (WWW uppercase and space)
alert tcp any 80 -> any any (msg:"no1"; flow:to_client,established; content:"WWW-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000000; rev:1;)
-but small variant detect/work: (mix case and space)
alert tcp any 80 -> any any (msg:"ok1"; flow:to_client,established; content:"Www-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000001; rev:1;)
-another small variant detect/work: (WWW uppercase without space)
alert tcp any 80 -> any any (msg:"ok2"; flow:to_client,established; content:"WWW-Authenticate\:"; nocase; classtype:web-application-activity; sid:9000002; rev:1;)

Joigned pcap with good cksum (it's a live/real trafic, not fuzzing).
Tested without any another signatures/rules + output is fast option + pattern-matcher default b2g + host-os-policy are default or linux have same pb + libhtp use default-config but apache server-config have same pb.

Files

Download all files
suricata082htppb_csdump306b.pcap.gz (1.92 KB) suricata082htppb_csdump306b.pcap.gz Victor Julien, 04/20/2010 03:18 AM
0001-Bug-130-detect-nocase-was-not-recreating-the-BmCtx-w.patch (5.58 KB) 0001-Bug-130-detect-nocase-was-not-recreating-the-BmCtx-w.patch detect-nocase was not recreating the BmCtx with nocase chars, so it was not working with patterns of capital letters as expected Pablo Rincon, 04/27/2010 11:56 AM
Actions
Copy link

Also available in: Atom PDF