Project

General

Profile

Actions
Copy link

Bug #452

closed

FN on http POST query suricata v1.2.1?

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

Im restart my Suricata (v1.2.1 and 1.3git) testing and Im found strange results with these sigs not fire:

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; isdataat:1; classtype:web-application-activity; sid:90011667; rev:1;)

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; pcre:"/^[^\n]{5}/P"; classtype:web-application-activity; sid:90011668; rev:1;)

alert tcp any any -> any 80 (msg:"FN suricata"; flow:to_server,established; content:"galid"; nocase; http_client_body; classtype:web-application-activity; sid:90011669; rev:1;)

Tested with these two http commands:
wget http://192.168.1.1/abcd.php --post-data="galid=abcdzad&dzadzza=dzadzdza"
curl http://192.168.1.1/abcd.php --data "galid=abcdzad&dzadzza=dzadzdza"

Joigned my two pcap for replaying.
No suricata error.
Disabled cksum validation.

Im sure Im totaly wrong but if someone check/confirm please ?
Of course, snort always fire.
Regards
Rmkml

Files

Download all files
exemple_http_post_isdataat_suricataFNwget.pcap (1.49 KB) exemple_http_post_isdataat_suricataFNwget.pcap rmkml rmkml, 04/19/2012 12:25 PM
exemple_http_post_isdataat_suricataFNcurl.pcap (1.49 KB) exemple_http_post_isdataat_suricataFNcurl.pcap rmkml rmkml, 04/19/2012 12:25 PM
0001-bug-452-fix-detection-bug-for-sigs-that-don-t-have-a.patch (1.85 KB) 0001-bug-452-fix-detection-bug-for-sigs-that-don-t-have-a.patch Anoop Saldanha, 04/20/2012 12:22 AM
0002-code-cleanup-indentation-fix.patch (3.99 KB) 0002-code-cleanup-indentation-fix.patch Anoop Saldanha, 04/20/2012 12:22 AM
0003-bug-452-enable-http-extra-callbacks-for-configs-othe.patch (1.91 KB) 0003-bug-452-enable-http-extra-callbacks-for-configs-othe.patch Anoop Saldanha, 04/20/2012 04:15 AM
Actions
Copy link
 #1

Updated by Anoop Saldanha over 12 years ago

  • Assignee set to Anoop Saldanha
Actions
Copy link
 #3

Updated by Anoop Saldanha over 12 years ago

patch attached that fixes the client/server body rules FN.

All 3 rules should alert now.

Actions
Copy link
 #4

Updated by Anoop Saldanha over 12 years ago

  • Status changed from New to Resolved
Actions
Copy link
 #5

Updated by Victor Julien over 12 years ago

Patches 1 and 2 remove a NULL pointer check AFAICS, is that safe?

Applied 3.

Actions
Copy link
 #6

Updated by Anoop Saldanha over 12 years ago

yeah, that's safe. We fix a bug actually. We would have been FN'ing previously

Actions
Copy link
 #7

Updated by Victor Julien over 12 years ago

  • Status changed from Resolved to Closed
  • Target version set to 1.3beta1
  • % Done changed from 0 to 100

Cool. Applied 1 and 2 as well. Thanks.

Actions
Copy link
 #8

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.3beta1 to 1.3beta2
Actions
Copy link

Also available in: Atom PDF