Actions
Bug #4210
closedAlert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode
Affected Versions:
Effort:
Difficulty:
Label:
Description
From https://forum.suricata.io/t/transformation-keyword-cant-trigger-an-alert/881/3
Use the attached pcap
These 2 rules generate 2 alerts
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1001;) alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
These 2 rules generate 0 alerts
alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd)"; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1001;) alert http any any -> $HOME_NET any (msg:"detect (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:1002;)
Files
Updated by Victor Julien about 4 years ago
- Is duplicate of Bug #4199: Transformation keyword can’t trigger an alert added
Updated by Jeff Lucovsky almost 4 years ago
- Label deleted (
Needs backport to 6.0)
Actions