Project

General

Profile

Actions
Copy link

Bug #212

closed

relatives contents with a negated content gives a false postive

Added by Anoop Saldanha over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

a content string

"we need to fix this and yes fix this now"

and

content:fix; content:this; within:6; content:!\"and\"; distance:0;

should fail.

Fix attached.

Files

Download all files
0001-fix-false-positives-for-a-negated-content-case.patch (4.13 KB) 0001-fix-false-positives-for-a-negated-content-case.patch Anoop Saldanha, 07/16/2010 08:58 AM
0002-fix-relative-contents-with-a-negated-content-for-det.patch (10.2 KB) 0002-fix-relative-contents-with-a-negated-content-for-det.patch Anoop Saldanha, 07/16/2010 09:38 AM
fixthisnow.pcap (491 Bytes) fixthisnow.pcap we need to fix this and yes fix this now pcap Will Metcalf, 07/19/2010 12:52 PM
Actions
Copy link
 #1

Updated by Anoop Saldanha over 14 years ago

another patch attached.

You will have to apply both. The first one addresses payload.c and the second, dcepayload.c and uri.c.

Actions
Copy link
 #2

Updated by Will Metcalf over 14 years ago

tested. works.
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"and"; distance:0; sid:7777;)
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"foo"; distance:0; sid:7778;)

src/suricata -c suricata.yaml -l ./ -s blah2.rules -r /home/coz/fixthisnow.pcap
...
cat fast.log
07/19/10-18:37:15.687507 [**] [1:7778:0] negated content + relative modifier [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:60229 -> 192.168.2.138:55555

Actions
Copy link
 #3

Updated by Victor Julien over 14 years ago

  • Estimated time set to 1.00 h
Actions
Copy link

Also available in: Atom PDF