Support #2475
closedoffset can also be a negative number?
Description
e.g:
http://localhost/?id=1&test=union select
rules:
alert tcp any any -> any any (msg:"test union select";content:"select";http_uri;nocase;offset:-7;content:"select";nocase;http_uri;classtype:test;sid:203456789;rev:1;)
it's ok,but not match.why?
Updated by Victor Julien over 6 years ago
- Priority changed from Urgent to Normal
It can't be as it's an offset from the start of the payload/buffer.
Updated by Andreas Herz over 6 years ago
- Assignee set to tag 7ym0n
- Target version set to Support
Updated by tag 7ym0n over 6 years ago
How do I start a match from the reciprocal N bytes of a payload or buffer?
e.g:
http://localhost/?id=1&test=-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
how match "99,58,47,98,111,111,116,46,105"?
Victor Julien wrote:
It can't be as it's an offset from the start of the payload/buffer.
Victor Julien wrote:
It can't be as it's an offset from the start of the payload/buffer.
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
could you provide a pcap for that?
Updated by Andreas Herz over 5 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs