Actions
Bug #6397
closeddetect: multiple legacy buffer selection leading to multi-buffer
Affected Versions:
Effort:
Difficulty:
Label:
Description
A rule like
alert http $HOME_NET any -> $EXTERNAL_NET any \ (msg:"ET TROJAN Variant.Zusy.45802 Checkin"; flow:to_server,established; content:".php?uid="; fast_pattern:only; http_uri; content:"&affid="; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; http_user_agent; pcre:"/^$/RV"; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/Ui"; classtype:trojan-activity; sid:2016816; rev:3;)
Would set up 2 "buffers": one for the initial set of contents modified to http_uri, the second for the pcre with /U.
Actions