Project

General

Profile

Actions
Copy link

Documentation #5772

open

docs: A wrong rule matching example provided by the official doc

Added by Can Cui almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.9
Effort:
low
Difficulty:
low
Label:

Description

Dear Team,

I think there is a wrong rule matching example in the official doc. It is in chapter: [[https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html?highlight=Suricata%E2%80%99s%20modifiers#suricata-s-modifiers]]. In the fourth image [[https://suricata.readthedocs.io/en/latest/_images/pcre6.png]] of this chapter, I find that the rule (content:"/index."; http_uri; content:"htm"; http_uri; distance:0;") can match the payload "/index.abc.htm" after verification. But the example in the doc shows that it cannot match.
My suricata rule for verification is: alert http any any -> any any (msg:"test-distance-0"; content:"GET"; http_method; content:"/index."; http_uri; content:"htm"; http_uri; distance:0; classtype:web-application-attack; sid:457006; rev:2;)
And my payload for verification is: http://0.0.0.0/index.abc.htm

Thanks in advance for responses.

Best regards,
Can Cui

Actions
Copy link
 #1

Updated by Can Cui almost 2 years ago

  • Status changed from In Progress to New
Actions
Copy link

Also available in: Atom PDF