Project

General

Profile

Actions

Bug #5176

open

False positive when negated content is far ahead of matching content.

Added by Brandon Murphy over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In looking at alerts for a signature designed to detect powershell command line options returned by http servers, but not part of an HTML page, many false positives were discovered. I have been able to able to reliability reproduce the False Positive alert with the attached pcap gathered from any.run.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"test with http buffers - SHOULD NOT ALERT"; flow:established,from_server; http.response_body; content:!"<html"; content:"-ExecutionPolicy"; nocase; sid:1;)

Files

Actions

Also available in: Atom PDF