Project

General

Profile

Actions
Copy link

Bug #505

closed

http_cookie and depth/offset question please

Added by rmkml rmkml over 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

1)Im test this rule work correctly:
alert any any > any 80 (msg:"test1"; flow:to_server,established; content:"hear"; within:4; distance:0; http_cookie; ...
my network traffic contains:
GET ....
Cookie: hear...
> ok

2)If I change to within:3
Suricata stop with error: good!

3)ok I move to depth/offset fire:
alert any any -> any 80 (msg:"test3"; flow:to_server,established; content:"hear"; depth:4; offset:0; http_cookie; ...

4)another test fire but no error, why? : (reduced depth value)
alert any any -> any 80 (msg:"test4"; flow:to_server,established; content:"hear"; depth:3; offset:0; http_cookie; ...

Regards
Rmkml

Files

0001-invalidate-sigs-if-depth-content_length.patch (1.27 KB) 0001-invalidate-sigs-if-depth-content_length.patch Anoop Saldanha, 07/14/2012 07:06 AM
Actions
Copy link
 #2

Updated by Victor Julien about 12 years ago

  • Status changed from New to Closed
  • Target version set to 1.3.1
  • % Done changed from 0 to 100

Applied, thanks Anoop.

Actions
Copy link

Also available in: Atom PDF