Project

General

Profile

Actions

Bug #5541

closed

Unexpected behavior of `endswith` in combination with negated content matches

Added by Brandon Murphy over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Please consider the following rule and attached pcaps.

The intention of the rule is to alert when the http.host buffer does not end with .google.com

alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;)

However, in practice the endswith; keyword (and the use of isdataat:!1,relative) seems to have no effect on the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative.

If the http host of www.google.com.example.com is provided, the negation appears to take effect and no alert is triggered, despite the buffer not ending with .google.com

In the attached pcaps, I would expect the above signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative.


Files

host_negation_1.pcap (422 Bytes) host_negation_1.pcap Brandon Murphy, 09/14/2022 06:22 PM
host_negation_2.pcap (434 Bytes) host_negation_2.pcap Brandon Murphy, 09/14/2022 06:22 PM

Subtasks 1 (0 open1 closed)

Bug #6007: Unexpected behavior of `endswith` in combination with negated content matches (6.0.x backport)ClosedJeff LucovskyActions
Actions

Also available in: Atom PDF