Bug #219: uricontent with relative pcre - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #219

closed

uricontent with relative pcre

Added by Victor Julien over 14 years ago. Updated almost 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

There are signatures in VRT that follow this basic pattern. We are not supporting it because right now the detection engine has no way of knowing where in the raw payload the uri match ended. Another complication is that the uri normalizer may change the size of the uri (e.g. %20 becomes a single space, shrinking the uri with 2 bytes).

uricontent:"foo"; pcre:"/bar/R";
content:"foo"; http_uri; pcre:"/bar/R";

It seems in Snort this only works on non-normalized uri's.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #219

uricontent with relative pcre

Updated by Victor Julien almost 14 years ago