Bug #505: http_cookie and depth/offset question please - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #505

closed

http_cookie and depth/offset question please

Added by rmkml rmkml over 12 years ago. Updated about 12 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

1.3.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,

1)Im test this rule work correctly:
alert any any > any 80 (msg:"test1"; flow:to_server,established; content:"hear"; within:4; distance:0; http_cookie; ...
my network traffic contains:
GET ....
Cookie: hear...
> ok

2)If I change to within:3
Suricata stop with error: good!

3)ok I move to depth/offset fire:
alert any any -> any 80 (msg:"test3"; flow:to_server,established; content:"hear"; depth:4; offset:0; http_cookie; ...

4)another test fire but no error, why? : (reduced depth value)
alert any any -> any 80 (msg:"test4"; flow:to_server,established; content:"hear"; depth:3; offset:0; http_cookie; ...

Regards
Rmkml

Files

0001-invalidate-sigs-if-depth-content_length.patch (1.27 KB) 0001-invalidate-sigs-if-depth-content_length.patch

Anoop Saldanha, 07/14/2012 07:06 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #505

http_cookie and depth/offset question please

Updated by Anoop Saldanha over 12 years ago

Updated by Victor Julien about 12 years ago