Bug #4210: Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4210

closed

Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode

Added by Jeff Lucovsky almost 4 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

High

Assignee:

Jeff Lucovsky

Target version:

7.0.0-beta1

Affected Versions:

6.0.1

Effort:

Difficulty:

Label:

Description

From https://forum.suricata.io/t/transformation-keyword-cant-trigger-an-alert/881/3

Use the attached pcap

These 2 rules generate 2 alerts

alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)

These 2 rules generate 0 alerts

alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1001;)
alert http any any -> $HOME_NET any (msg:"detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)

Files

http-forum.pcap (2.03 KB) http-forum.pcap

Jeff Lucovsky, 12/08/2020 02:33 PM

Related issues 1 (0 open — 1 closed)