Project

General

Profile

Actions
Copy link

Bug #144

closed

isdataat + relative does not work when previous match is pcre.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
1.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

isdataat + relative does not work when previous match is pcre. This behavior is supported in snort we should do the same

[3499] 4/5/2010 -- 19:41:06 - (detect-isdataat.c:253) <Error> (DetectIsdataatSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Unknown previous keyword!
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre with isdataat + relative"; pcre:"/A(ll|pp)WorkAndNoPlayMakesWillADullBoy/"; isdataat:96,relative; sid:106;)" from file /home/coz/allworkplain.rules at line 207

01/04-12:29:26.927934 [**] [1:106:0] pcre with isdataat + relative [**] [Priority: 0] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80

Files

Download all files
allworkandnoplayplain.pcap (2.7 KB) allworkandnoplayplain.pcap allworkandnoplay Will Metcalf, 05/04/2010 07:19 PM
0001-set-the-isdataat-keyword-when-previous-sigmatch-is-e.patch (2.92 KB) 0001-set-the-isdataat-keyword-when-previous-sigmatch-is-e.patch Gurvinder Singh, 05/14/2010 04:12 AM
Actions
Copy link
 #1

Updated by Gurvinder Singh over 14 years ago

Attached patch supports setting up sig when previous keyword is pcre

Actions
Copy link
 #2

Updated by Victor Julien over 14 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Patches applied, thanks Gurvinder.

Actions
Copy link

Also available in: Atom PDF