Project

General

Profile

Actions

Support #2475

closed

offset can also be a negative number?

Added by tag 7ym0n over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

e.g:
http://localhost/?id=1&test=union select

rules:

alert tcp any any -> any any (msg:"test union select";content:"select";http_uri;nocase;offset:-7;content:"select";nocase;http_uri;classtype:test;sid:203456789;rev:1;)

it's ok,but not match.why?

Actions #1

Updated by Victor Julien over 6 years ago

  • Priority changed from Urgent to Normal

It can't be as it's an offset from the start of the payload/buffer.

Actions #2

Updated by Andreas Herz over 6 years ago

  • Assignee set to tag 7ym0n
  • Target version set to Support
Actions #3

Updated by tag 7ym0n over 6 years ago

How do I start a match from the reciprocal N bytes of a payload or buffer?

e.g:
http://localhost/?id=1&test=-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))

how match "99,58,47,98,111,111,116,46,105"?

Victor Julien wrote:

It can't be as it's an offset from the start of the payload/buffer.

Victor Julien wrote:

It can't be as it's an offset from the start of the payload/buffer.

Actions #4

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback

could you provide a pcap for that?

Actions #5

Updated by Andreas Herz over 5 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF