Project

General

Profile

Actions

Bug #457

closed

FN with suricata git version 24apr2012 ?

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts
3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS > 80
> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please?
Regards
Rmkml


Files

404.pcap (1.38 KB) 404.pcap rmkml rmkml, 04/25/2012 09:41 AM
Actions

Also available in: Atom PDF