Bug #5541
Updated by Brandon Murphy over 2 years ago
Please consider the following rule and attached pcaps. The intention of the rule is to alert when the http.host buffer does not _end with_ <code>.google.com</code> <pre> alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;) </pre> However, in practice the <code>endswith;</code> keyword (and the use of <code>isdataat:!1,relative</code>) seems to have no effect on and the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative. buffer. If the http host of <code>www.google.com.example.com</code> is provided, observed, the negation appears to take effect and no alert is triggered, despite the buffer not ending with <code>.google.com</code> In the attached pcaps, I would expect the above this signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative. pcaps.