Actions
Bug #7326
opendetect/multi-buffer/prefilter: false negative if the first packet does not have all occurences with http.request_header
Affected Versions:
Effort:
Difficulty:
Label:
Description
Found while working on #5576
Rules should match the same whatever their fast_pattern is, but
alert http any any -> any any ( sid: 2; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first";) alert http any any -> any any ( sid: 3; http.stat_code; content: "200"; http.response_header; content: "first"; fast_pattern;)
will have the first one matching and not the second one with
import socket
import time
HOST = "127.0.0.1" # Standard loopback interface address (localhost)
PORT = 8001 # Port to listen on (non-privileged ports are > 1023)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST, PORT))
s.listen()
conn, addr = s.accept()
with conn:
print(f"Connected by {addr}")
while True:
data = conn.recv(1024)
if not data:
break
conn.sendall(b"HTTP/1.0 200 OK\nServer: custom\n")
conn.sendall(b"Header1: first\n")
time.sleep(1)
conn.sendall(b"Content-type: text\n")
conn.sendall(b"X-first: secret\n")
conn.sendall(b"Content-Length: 14\n\n")
time.sleep(1)
conn.sendall(b"see you later!")
Actions