Bug #212
closed
relatives contents with a negated content gives a false postive
Added by Anoop Saldanha over 14 years ago.
Updated over 14 years ago.
Description
a content string
"we need to fix this and yes fix this now"
and
content:fix; content:this; within:6; content:!\"and\"; distance:0;
should fail.
Fix attached.
Files
another patch attached.
You will have to apply both. The first one addresses payload.c and the second, dcepayload.c and uri.c.
tested. works.
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"and"; distance:0; sid:7777;)
alert tcp any any -> any 55555 (msg:"negated content + relative modifier"; content:"fix"; content:"this"; within:6; content:!"foo"; distance:0; sid:7778;)
src/suricata -c suricata.yaml -l ./ -s blah2.rules -r /home/coz/fixthisnow.pcap
...
cat fast.log
07/19/10-18:37:15.687507 [**] [1:7778:0] negated content + relative modifier [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:60229 -> 192.168.2.138:55555
- Estimated time set to 1.00 h
Also available in: Atom
PDF