Bug #5541
closedUnexpected behavior of `endswith` in combination with negated content matches
Description
Please consider the following rule and attached pcaps.
The intention of the rule is to alert when the http.host buffer does not end with .google.com
alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;)
However, in practice the endswith;
keyword (and the use of isdataat:!1,relative
) seems to have no effect on the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative.
If the http host of www.google.com.example.com
is provided, the negation appears to take effect and no alert is triggered, despite the buffer not ending with .google.com
In the attached pcaps, I would expect the above signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative.
Files